freeradius windows machine authentication

[Matthew Newton]

On 30/08/2023 11:09, Härtl, Calvin wrote:
> (6) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (6) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (6) mschap:    --> --username=host/HOSTNAME.DOMAIN.COM
> (6) mschap: Creating challenge hash with username: host/HOSTNAME.DOMAIN.COM
> (6) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (6) mschap:    --> --challenge=ef98e59da6aea4aa
> (6) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (6) mschap:    --> --nt-response=1e7106295666480efb781446f97f618e57e09017da042590
> (6) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (6) mschap: External script failed
> (6) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)

I think this used to work, but not 100% sure. You might need to mangle 
the username into the format AD uses for computers, 
"HOSTNAME.DOMAIN.COM$" or "HOSTNAME$" for example.

> My FreeRADIUS server is connected to our Active Directory via SAMBA and winbind, and I checked that the users can authenticate via radtest.
> Is FreeRADIUS natively capable of doing machine authentication via AD, do I have to configure some additional files or are there any modules that I can install to do this for me?

The usual way to do this is to set up EAP-TLS and use the AD-managed 
machine certificate for auth. Much more secure and faster authentication 
as well. It's one of the easiest setups for EAP-TLS with Windows clients 
because AD manages all the certificates for you.

I would investigate that rather than spending time on trying to get 
MSCHAPv2 working for machine auth.

-- 
Matthew