[ale] Freeradius, MSCHAP, and Active Directory
James Taylor
James.Taylor at eastcobbgroup.com
Thu Feb 26 13:40:43 EST 2015
Freeradius servers are more fun than I can stand most days, but I have gotten a couple of them working.
I haven't tried it against AD, but one issue I have had with AD and LDAP based auth is that the ridiculously convoluted way that AD uses names.
I'm not sure what version of freeradius your using, but I see a couple of areas in my radius.conf that look relevant.
Do you have this entry under the mschap section?
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
And/or this entry further down?
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
Like I said, I haven't dealt with radius agains AD, so I'm just suggesting what looks like some relevant entries.
-jt
James Taylor
678-697-9420
james.taylor at eastcobbgroup.com
>>> James Sumners <james.sumners at gmail.com> 2/26/2015 12:33 PM >>>
The #freeradius channel is less than helpful, and I'm not keen on the
responses I see in the users mailing list (plus I don't want to sign up for
yet another one). So I'm hoping someone on this list has the answer I need:
I'm setting up a Freeradius server that authenticates supplicants against
an Active Directory system. I have ntlm_auth work, and I can authenticate
via Freeradius. So, if I have a user "Jane Doe" with a username "jdoe" then
a typical Windows auth request will succeed. That is, the username
"foobar\jdoe" will be split into "domain = foobar" and "username = jdoe",
and the ntlm_auth will work just fine.
However, when I have a user like "Tom Doe" with a username like "tdoe" then
Windows will send "foobar\tdoe" as the username. When I watch the
Freeradius debug output I can see in the mschap processing that it gets a
username "foobar doe" sent to it. That clearly won't work.
Does anyone know how to prevent Freeradius from mangling the name by
interpreting escape sequences?
--
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)
More information about the Ale
mailing list