On 04/21/2011 08:08 PM, Eldred, Bob wrote:
After configuring a Windows XP SP3 supplicant for machine authentication
(which is stupidly complex, given the required registry hacks to make it
work)
Once you've done it once, you can export it as a "netsh" XML profile,
then re-import it on other machines. Or use group policy on domain members.
> I get this in the debug output:
++[mschap] returns noop
[ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
Now, I can clearly see that there *is* no '\' in the hostname there, nor
should there be. But everything I've found on the web indicates that
with the version of FreeRADIUS and Samba I have, %{mschap:User-Name}
should be rewritten as C776669$. Getting the domain of the thing will
Correct, it should be rewritten from host/name.... to name$
be another challenge of its own, I imagine.
%{mschap:NT-Domain} will expand the above to "ppmenergy". So, if the
short-form (NT4-style name) of your AD realm is "ppmenergy" that'll be fine.
If not you'll have to hard-code the domain or get it otherwise. This is
one reason why microsoft were DUMB to pick host/dnsname.domain.com - the
DNS name and authentication realm need not match. They should have just
sent host$@AUTH.REALM as the EAP-Identity and made everyones life
easier... :o(
++[mschap] returns noop
This is as-expected. The request is EAP, not mschap, so mschap returns
noop. This is completely independent of using "%{mschap:User-Name}"
anywhere.
[ntdomain] No '\' in User-Name = "host/C776669.ppmenergy.us", looking up
realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
Again, as expected.
Sending Access-Challenge of id 219 to 10.56.160.5 port 32768
EAP-Message = 0x010700061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1c7725f518703c6d6a5dce719626f316
Finished request 14.
Going to the next request
Waking up in 4.9 seconds.
...and.... what happens next? This is just a single request. EAP
authentication involves lots of pairs of request/challenge, with a final
request/accept or request/reject.
I am going to take a wild guess - you are using "ntlm_auth" and you need
to edit the command line in raddb/modules/mschap to read:
ntlm_auth = ".... --username=%{mschap:User-Name} ..."
If not, please show the full authentication attempt so we can see where
it fails.
Better yet, carefully read through the full debug output yourself. The
failure code *will* be in there.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
