freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules.
in mschap module, i have a line like:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-re$
also, in ldap:
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and
mschap lines).
I use this method to auth users connecting to wireless APs with xp, ios, linux,
and win7 machines. I want users to be forced to enter their password to
connect, so the clients are configured not to use the domain\username, just
username and pw. Set up this way, a client sending username in domain\username
form will be rejected. I am not sure this is "right", but it allows me to use
mschap auth with several different types of clients, and control access with an
ldap group without worrying about the domain\user nonsense. Of course, i only
have a single domain which simplifies things.
Nolan
>>> On 3/25/2011 at 7:41 AM, in message
<201103251541.07053.thomas.wun...@swt-bamberg.de>, Thomas Wunder
<thomas.wun...@swt-bamberg.de> wrote:
> On Friday 25 March 2011 11:15:58 you wrote:
>> Use %{mschap:User-Name} everywhere; this will give the bare username
> That sounds consequent but what exactly do you mean by "everywhere"?
> I use the policy.conf (as you can see by the debug output from my previous
> posting) to define some policies that are later on used within the 'authorize
> {...}' groups of sites-available/default and sites-available/inner-tunnel. I
> don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
> information from my LDAP-server. The only place where I consciously reference
> any User-Name attribute is the modules/ldap and there I already do as you
> suggest (see attachment).
>
> Where else do I need to explicitly specify '%{mschap:User-Name}' to have
> rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
> rlm_mschap ignore the domain component of the user name)?
>
> My modules/mschap config file is pretty lucid at present:
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = no
> }
>
> And what about the realms approach? Can I save the trouble?
>> (and also correctly translate host/name.domain.com, if you later do
>> machine auth)
>
> Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
