I'm happy to announce that 802.1x/PEAP machine authentication with the
Windows built in supplicant is now possible using FreeRADIUS. In the
past, machine authentication was only possible by proxying machine
authentication requests to another RADIUS server capable of handling
them, such as IAS. FreeRADIUS, along with some updates to Samba, is now
capable of handling these authentications internally.
Here's a synopsis on how to get this working right now:
The first item required to get machine authentication is a patch to the
Samba source. This patch sets a set of flags used when sending the
authentication request to the domain such that workstation logons are
allowed. I expect that the Samba team will include the ability to set
these flags at runtime in a future release. You can find the details of
the patching required at
http://www.open.com.au/archives/radiator/2005-10/msg00037.html. It's a
very simple patch to the samba/source/rpc_client/cli_netlogon.c file.
In the cli_netlogon_sam_network_logon() function (be sure not to edit
the cli_netlogon_sam_logon() function by mistake), there is a call to
the init_id_info2() function. The param_ctrl flags parameter to this
function sets all flags to 0. In order to enable machine
authentication, they should be set to 0x800
(MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT). If you change this and
recompile/reinstall Samba, your ntlm_auth command will now be able to
handle machine authentications. As noted above, it is expected that
these flags will become manipulable at runtime in some future release of
Samba, so this fix is for those who need this functionality now.
Next, when using ntlm_auth, the User-Name received in the request has to
be rewritten. Windows supplicants send the machine name in the form of
host/fully.qualified.domain.name. When you provide the user name to
ntlm_auth, it must be in the form of machineshortname$, the SAM account
form of the name. I have updated the rlm_mschap module so that a call
to the xlat function mschap:User-Name will now properly format the
machine name as above as well as format usernames. In addition, a call
to the xlat function mschap:NT-Domain will also grab the domain name
from the host/ formatted username. Therefore, with this updated code,
the only change to the configuration in the radiusd.conf is to ensure
that your ntlm_auth line looks like the following:
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--domain=%{mschap:NT-Domain:-DEFAULTDOMAIN}
The updated rlm_mschap module is available in CVS now. You can grab the
nightly CVS snapshot (the usual caveat of unstable code applies). In
addition, for those familiar with CVS, it is available in the
release_1_0 branch for use with the stable source tree. And, finally,
it will be included in the next stable release of FreeRADIUS.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
