freeradius windows machine authentication
Matthew Newton
mcn at freeradius.org
Wed Aug 30 11:51:24 UTC 2023
On 30/08/2023 12:11, Nick Porter wrote:
> A Matthew said, EAP-TLS is likely a better option, however, if you have
> to use MSCHAPv2, I have done this by using the winbind authentication
> method instead of ntlml_auth.
Good catch. We set the WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT and
WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT flags so these auths are allowed.
(To be fair it's been over 7 years since I wrote that... so some excuse
for forgetting it!)
I just tried ntlm_auth and it doesn't seem to like using a computer
account, but someone would need to look at the code to see if those
flags are set to confirm for certain.
>
> In mods_enabled/mschap:
>
> - comment out ntlm_auth = ....
>
> - uncomment winbind_username = "%{mschap:User-Name}"
Yes, the %{mschap:User-Name} xlat code specifically looks for host/ and
fixes things up with the $ suffix as required.
But... use TLS :)
--
Matthew
More information about the Freeradius-Users
mailing list