Authenticate with machine account and without ntlm_auth
Dave Funk
dbfunk at engineering.uiowa.edu
Thu Nov 14 18:40:40 UTC 2024
On Thu, 14 Nov 2024, Alan DeKok wrote:
> On Nov 14, 2024, at 12:25 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Hi, I'd like to authenticate a PC using it's machine account and the mschap module, without calling ntlm_auth, is this possible?
>
> It depends.
>
> If all of the passwords are in Active Directory, then you have to use ntlm_auth.
>
>> I noticed that the machine send its user as "host/machinename" but I don't know how to obtain and check its password.
>
> You should be able to just check the machine credentials. Try it with ntlm_auth. It's a command-line tool that can be used on its own.
>
>> Maybe I should check the nt-hashes in users file?
>
> You will need the correct password, and then store that in the "users" file.
If the PC is a member of an Active-Directory domain that approach will be
problematic because the domain periodically changes machine passwords.
If using ntlm_auth is so issuous that it needs to be avoided another approach
would be to use eap-tls with the PC's SSL certificate that was issued by the
domain (assuming your AD domain has a CA).
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the Freeradius-Users
mailing list