Julien MIOTTE wrote:
1. Using the windows native supplicant and machine account
authentication. Basically the process is this:
* machine powers on - no-one logged in
* machine uses its own domain account to login "host/$machinename"
* user presses ctrl+alt+del
* machine validates credentials to the domain controller, over the
current network connection
* machine downloads the users profile
* once the profile is download, the machine does an EAP-Logoff and
then re-authenticates using the user credentials
* when the user logs out, the machine does and EAP-Logoff and then
logs back in using the machine account
Hi, I've been trying to do as you told me.
There's no need to CC me. I read the list.
Using the native supplicant and MSCHAPv2 on PEAP, the machine sends now it's
own credentials. My problem is that the login is sent with the
prefix "host/". In my LDAP, the entry of the machine is machine_name$.
I tried to fix this trough various ways, and I succeded by adding an entry in
the hint file :
DEFAULT Prefix == "host/", Strip-User-Name = "Yes"
and by changing the filter in the LDAP section :
filter="(uid=%{Stripped-User-Name:-%{User-Name}})"
to
filter="(uid=%{Stripped-User-Name:-%{User-Name}}$)"
Now the authorization works fine, but when the authenticate section is
processed, the debug prints this :
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
Am I doing all of this right ?
There's a better way; use the mschap module expansion function, which
will both strip and suffix for you:
filter = "(uid=%{mschap:User-Name})"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
