Sayantan Bhowmick wrote:
HI,
I am trying a similar setup with some variation.
If there is no PDC, there's no domain, so there *is* no machine
account.
I have setup a Samba PDC and am using Novell eDirectory as the back-end
store. In this scenario is it possible to perform PEAP-MSCHAPv2 machine
authentication by adding the WinXP machine to the Samba PDC and without
using ntlm_auth. Any help will be much appreciated.
Maybe. It's not a common use-case.
There should be an account in the domain of MACHINENAME$ - it should
have an ntPassword LDAP attribute (or whatever it's called in your
schema). If you setup the FreeRadius LDAP module to correctly extract
the ntPassword attribute and add it as an NT-Password configure item, I
don't see any reason the FreeRadius ms-chap module wouldn't work.
So, something like:
modules {
mschap {
}
ldap {
# configure LDAP here
}
}
authorize {
preprocess
mschap
eap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
The "configure LDAP here" should be fairly straightforward - read the
default configuration and unless you have a non-standard setup things
should work.
Things you might have to alter:
1. If your LDAP schema puts the NT hash in an attribute other than
ntPassword, edit the "ldap.attrmap" file
2. If your LDAP schema does not contain the ntPassword but uses the
Novell eDir "universal password" stuff (I'm not sure how that would work
as a samba backend, so I doubt it) read the comments about setting up
eDir in the default radiusd.conf
Other possible issues - the machine may announce itself as
"HOST/MACHINENAME" in which case you need to fix that - see posts on the
mailing list about using the "hints" file to strip the host/ and append
a $ but I can't find them because the FreeRadius archives are
unsearchable (every "help me" post with FR debug output contains those
strings!)
Regards,
-Sayantan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
