I'm sorry, I don't have time right now to help you, but you are on the
right track. Windows has a feature "Machine Authentication" where the
station authenticates (using the $hostname and a secret credential
created at domain join) with a Domain controller before the user login.
On an hardwired ethernet connection that happens in the background at boot.
On a dynamic connection like Wi-Fi that is an option, if the EAP
supplicant module supports it. (Most did not in the past) The control
for this has mutated between XP and later.
In Vista and Win7 this got more complicated, as you see there are XML
files called "profiles" that control these behaviors. They are a bit
difficult to figure out at first (the documentation sucks and is
probably wrong at points)
but if you burrow in and experiment a bit, you might get it figured out.
There are command line tools for dumping the profiles and tweaking on
the settings that the GUIs don't get to.
Once you get what you want settled, you can also create domain
policies and push them to all stations that way.
Sorry, I don't have enough time to look up my old notes.
Dave.
Quoting Alexandros Gougousoudis <[email protected]>:
Hi Alan,
thanks for your reply!
Alan DeKok schrieb:
"host/" as a realm for our Radsecproxy, I'd like to change the
behauviour for the authentication via LAN and add a string to the
<hostname>
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations are
sending a different Login? It already does, depending on LAN or WLAN
Logins. I don't mean some kind of rewrite or redirect inside of
Freeradius. Using Linux I can send whatever I want as the loginname.
Find a better solution. Change your rules so that you're keying off
of the correct data, and doing that only when you want.
I have now a more or less complicated regex rule in the radsecproxy,
but I thought it's more elegant to unify both logins. I thought doing
it in the profile-xml-file of the LAN connection in Win, but
unfortunately it's not the right place for it. At least all official
ressources I can find from MS, are not pointing out how to do that.
bye
Alex
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
