After spending a fair bit of time searching list archives and google results,
I've managed to make ntlm_auth work for both users and machine accounts.
This fix requires patching of Samba (thanks go to Mike McCauley of OSC/Radiator
for the howto on the fix and to Matthew Alexander for pointing it out in
samba's lists). This patch may break Samba for other purposes, as I have only
tested it to verify ntlm_auth can do both user and account challenge/response
authentication for MSCHAPv2 for PEAP.
The second part to the fix is an ntlm_auth wrapper that deals with DOMAIN\\user
format usernames and translates WinXP "host/" machine names to NT machine
usernames.
---BEGIN /usr/local/bin/ntlm_auth_hack---
#!/usr/bin/perl
my $ARGS = join(" ",@ARGV);
if ($ARGS =~ m{--username=host/\S+}) {
$ARGS =~ s{--username=host/([^\s.]+)\S+}{--username $1\$};
} else {
$ARGS =~ s{--username=([^\\]+)\\\\}{--domain=$1 --username=};
}
system("/usr/local/bin/ntlm_auth", split(" ", $ARGS));
---END /usr/local/bin/ntlm_auth_hack---
And so the example is somewhere other than my head, The following returns the
appropriate attributes to a Cisco AP to assign a particular vlan, in this case,
vlan-266, when doing EAP.
# Assign a VLAN to any user from this station
DEFAULT Calling-Station-Id == "1234.1234.1234"
Framed-Type = Framed,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802,
Tunnel-Private-Group-ID:1 = 100
And another fun one:
# Assign a particular VLAN to a user from a particular station
DOMAIN\\user Calling-Station-Id == "1234.1234.1234"
Framed-Type = Framed,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802,
Tunnel-Private-Group-ID:1 = 200
Naturally the DEFAULT should come after the specific user match.
begin 644 cli_netlogon.c.patch
M+2TM(&]R:6<O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?
M;F5T;&]G;[EMAIL PROTECTED](#$R(#$W.C`S.C(S(#(P,#4**RLK('!A=&-H
M960O<V%M8F$M,RXP+C(P8B]S;W5R8V4O<G!C7V-L:65N="]C;&E?;F5T;&]G
M;VXN8PE4:'[EMAIL PROTECTED](#(P(#`R.C,Y.C(W(#(P,[EMAIL PROTECTED]("LV.3DL
M-R!`0`H@("`@("`@("`@("`@("`@(%--0DY496YC<GEP="AP87-S=V]R9"P@
M8VAA;"P@;&]C86Q?;G1?<F5S<&]N<V4I.PH@"B`@("`@("`@("`@("`@("`@
M:6YI=%]I9%]I;F9O,[EMAIL PROTECTED]&@N:60R+"!L<%]W;W)K9W)O=7`H*2P@
M"BT@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P+"`O*B!P87)A;5]C
M=')L("HO"BL@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`P>[EMAIL PROTECTED],"P@
M+RH@<&%R86U?8W1R;"`J+PH@("`@("`@("`@("`@("`@("`@("`@("`@("`@
M("`@,'AD96%D+"`P>&)E968L("\J($Q5240_("HO"B`@("`@("`@("`@("`@
M("`@("`@("`@("`@("`@("!U<V5R;[EMAIL PROTECTED];&YT7VYA;65?<VQA
M<[EMAIL PROTECTED](&-H86PL"B`@("`@("`@("`@("`@("`@("`@("`@("`@("`@("!L;V-A
M;%]L;5]R97-P;VYS92P@,C0L(&QO8V%L7VYT7W)E<W!O;G-E+"`R-"D["D!`
M("TX,#`L-R`K.#`P+#<@0$`*("`@("`@("[EMAIL PROTECTED]:71C:%]V86QU92`]
M($Y%5%],3T=/3E]465!%.PH@"B`):6YI=%]I9%]I;F9O,[EMAIL PROTECTED]&@N
M:60R+"!D;VUA:6XL"BT)"2`@("`@(#`L("\J('!A<F%M7V-T<[EMAIL PROTECTED])
M("`@("`@,'@X,#`L("\J('!A<F%M7V-T<[EMAIL PROTECTED](`D)("`@("`@,'AD96%D
M+"`P>&)E968L("\J($Q5240_("HO"B`)"2`@("`@('5S97)N86UE+"!W;W)K
M<W1A=&EO;E]N86UE7W-L87-H+"`H8V]N<[EMAIL PROTECTED](J*6-H86PL"B`)"2`@
M("`@(&QM7W)E<W!O;G-E+F1A=&$L(&QM7W)E<W!O;G-E+FQE;F=T:"P@;G1?
D<F5S<&]N<V4N9&%T82P@;G1?<F5S<&]N<V4N;&5N9W1H*3L*
`
end
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
