New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the "realms" file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the "campus-main" virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the "campus-eap" and "campus-inner-tunnel" virtual servers for EAP authentication that are the same as the "default" and "inner-tunnel" servers except for the names. (I copied them so I could make changes to the "campus-XXX" virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the "host\\computer.domain.name" users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 "Do you have a concussion?" Ping is NOT a service. You don't need it. Use a real test.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
