We pass hostname$ to ntlm_auth by rewriting the User-Name attribute as follows:
attr_rewrite machine_UserName { attribute = User-Name searchin = packet searchfor = "^host/(.*).domain.name" replacewith = "%{1}$" ignore_case = yes new_attribute = no max_matches = 1 append = no } To change from host/hostname.domain.name to hostname$. Then, include machine_UserName in the authorize and authenticate sections before mschap. ________________________________ From: freeradius-users-bounces+neal.garber=energyeast....@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast....@lists.freera dius.org] On Behalf Of Rupert Finnigan Sent: Monday, June 01, 2009 2:59 PM To: FreeRadius users mailing list Subject: NTLM Auth Help Hi All, Wander if someone can help me resolve a problem I'm experiencing.... I'm using FreeRADIUS to provide AAA for 802.1X for wireless in a number of sites. It doesn't need to be 100% up all the time, and so I've got one server back in our central site that handles all the requests over our site-to-site VPNs. The users are stored in either AD, or SQL. SQL is fine, and I've modified the queries to suit my environment. My real problem is with the AD.... I can get it to authenticate users no problems, but not machines. I've got three AD domains I have users in that I need to authenticate: WB-UK, WB-US & WB-AU. These are sub-domains of WB-ROOT, which has no users and is there simple to provide trusts etc. All my users can authenticate fine, as the ms-chap module fills in the nt-domain variable and all is good. However, host authentication fails... I need host authentication to facilitate password expiration messages and changes to keep everyone authenticating OK, and not getting locked out. I'm sure that someones dealt with this before, and so I'd be very grateful for feedback and help. What do I need to supply to ntlm_auth for a machine user name, the "host/machine.domain.local" style, or the "$machine$" style? And, is this a problem best solved by setting the ntlm_auth program variable based on unlang checks against an extracted realm? Or, is there another way to make this all behave? I've tryied using Alan's suggested line on the "how-to" on deployingradius.org, but the "if no nt-domain, use a manually entered default" bit seems to confuse host auth. Many thanks in advance for any help offered, Rupes
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html