Thanks for the replies. Regards, -Sayantan >>> On Mon, Jan 30, 2006 at 6:55 pm, in message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > Sayantan Bhowmick wrote: >> HI, >> I am trying a similar setup with some variation. >> >>> If there is no PDC, there's no domain, so there *is* no machine >> account. >> >> I have setup a Samba PDC and am using Novell eDirectory as the back- end >> store. In this scenario is it possible to perform PEAP- MSCHAPv2 machine >> authentication by adding the WinXP machine to the Samba PDC and without >> using ntlm_auth. Any help will be much appreciated. > > Maybe. It's not a common use- case. > > There should be an account in the domain of MACHINENAME$ - it should
> have an ntPassword LDAP attribute (or whatever it's called in your > schema). If you setup the FreeRadius LDAP module to correctly extract > the ntPassword attribute and add it as an NT- Password configure item, I > don't see any reason the FreeRadius ms- chap module wouldn't work. > > So, something like: > > modules { > mschap { > } > ldap { > # configure LDAP here > } > } > authorize { > preprocess > mschap > eap > ldap > } > authenticate { > Auth- Type MS- CHAP { > mschap > } > eap > } > > The "configure LDAP here" should be fairly straightforward - read the > default configuration and unless you have a non- standard setup things > should work. > > Things you might have to alter: > > 1. If your LDAP schema puts the NT hash in an attribute other than > ntPassword, edit the "ldap.attrmap" file > 2. If your LDAP schema does not contain the ntPassword but uses the > Novell eDir "universal password" stuff (I'm not sure how that would work > as a samba backend, so I doubt it) read the comments about setting up > eDir in the default radiusd.conf > > Other possible issues - the machine may announce itself as > "HOST/MACHINENAME" in which case you need to fix that - see posts on the > mailing list about using the "hints" file to strip the host/ and append > a $ but I can't find them because the FreeRadius archives are > unsearchable (every "help me" post with FR debug output contains those > strings!) > >> >> >> Regards, >> - Sayantan >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html