Re: Are possible multiple ntdomain realms??????

Wed, 07 Jun 2006 12:45:13 -0700 

wekz wrote:
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all?? 

Well, Hi you all I hope haven't been too direct ;)

I'll getting more troubles as I do more complex configurations.


I ask this because first I had to authenticate users by machine 
authentication. The users in this case sends User-Name like 
host/username and the only way I found for working this out was to use 
ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack. 
The other options stripes the User-Name but then packets doesn't match 
EAP-Identity ( at least one of them ), that is why I used ntdomain, for 


Yes, this is a pain. The correct thing to do is below


being able to use with_ntdomain_hack.



FreeRadius 1.1.0 has code to do this for you - it will take names of the 
form "host/blah" and turn them into "blah$" *IF* you are using the 
"%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone, 
meaning EAP carries on working.





Now I've got pda-users that sends domain\username and if I don't use 
ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple 
ntdomains are allowed and how.


Again, this is annoying.

The best way I've found is to have this:

proxy.conf (contains only "real" domains)

realm THEDOMAINNAME {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
  # see [1] for strip
  strip
}

realm DEFAULT {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
  # see [1] for strip
  strip
}

realm NULL {
  type = radius
  authhost = LOCAL
  accthost = LOCAL
  # see [1] for strip
  strip
}

radiusd.conf (portions omitted):

modules {
  mschap {
    authtype = MS-CHAP
    with_ntdomain_hack = yes
    # this all goes on one line
    # see [2] for mschap:User-Name
    ntlm_auth = "/path/ntlm_auth --request-nt-key \
      --username=%{mschap:User-Name} \
      --challenge=%{mschap:Challenge:-00} \
      --nt-response=%{mschap:NT-Response:-00}"
  }

  realm ntdomain {
    format = prefix
    delimiter = "\\"
    ignore_default = no
    ignore_null = no
  }
}

authorize {
  preprocess
  ntdomain
  eap
  mschap
}

The various bits ensure:


 1. "strip" in the realms means there is always a realm-free 
"%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches.



 2. The "with_ntdomain_hack" create an mschap:User-Name variable which 
will always have the domain stripped correctly - "dom\user" goes to 
"user", and "host/machine" goes to "machine$"




Any method or idea will be welcome.

Thanks


------------------------------------------------------------------------


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to