[ale] Freeradius, MSCHAP, and Active Directory

Thu Feb 26 13:40:43 EST 2015

Freeradius servers are more fun than I can stand most days, but I have gotten a couple of them working.
I haven't tried it against AD, but one issue I have had with AD and LDAP based auth is that the ridiculously convoluted way that AD uses names.

I'm not sure what version of freeradius your using, but I see a couple of areas in my radius.conf that look relevant.

Do you have this entry under the mschap section?

		with_ntdomain_hack = yes

		# The module can perform authentication itself, OR
		# use a Windows Domain Controller.  This configuration
		# directive tells the module to call the ntlm_auth
		# program, which will do the authentication, and return
		# the NT-Key.  Note that you MUST have "winbindd" and
		# "nmbd" running on the local machine for ntlm_auth
		# to work.  See the ntlm_auth program documentation
		# for details.
		#
		# Be VERY careful when editing the following line!
		#
		#ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

And/or this entry further down?

	#
	#  'domain\user'
	#
	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	

Like I said, I haven't dealt with radius agains AD, so I'm just suggesting what looks like some relevant entries.

-jt

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com

>>> James Sumners <james.sumners at gmail.com> 2/26/2015 12:33 PM >>> 
The #freeradius channel is less than helpful, and I'm not keen on the
responses I see in the users mailing list (plus I don't want to sign up for
yet another one). So I'm hoping someone on this list has the answer I need:

I'm setting up a Freeradius server that authenticates supplicants against
an Active Directory system. I have ntlm_auth work, and I can authenticate
via Freeradius. So, if I have a user "Jane Doe" with a username "jdoe" then
a typical Windows auth request will succeed. That is, the username
"foobar\jdoe" will be split into "domain = foobar" and "username = jdoe",
and the ntlm_auth will work just fine.

However, when I have a user like "Tom Doe" with a username like "tdoe" then
Windows will send "foobar\tdoe" as the username. When I watch the
Freeradius debug output I can see in the mschap processing that it gets a
username "foobar    doe" sent to it. That clearly won't work.

Does anyone know how to prevent Freeradius from mangling the name by
interpreting escape sequences?

-- 
James Sumners
http://james.sumners.info/ (technical profile)
http://jrfom.com/ (personal site)
http://haplo.bandcamp.com/ (band page)