Hello Gregory, Its true that there are no 'workstation' indications in the incoming RADIUS request. Further, ntlm_auth is started by Radaitor and it tries to keep using the same ntlm_auth process for as many auths as it can. So you cant really use any per-request data in the ntlm_auth command line.
Maybe, as you suggest, you need to define a 'virtual workstation' for these VLAN logins, and add that to the ntlm_auth command line? Cheers. On Wednesday 27 October 2010 01:43:19 am Gregory Fuller wrote: > Here's my problem. We are using Radiator to authentication 802.1x > wired XP/Vista/7/MacOS clients on Cisco 3750 switches using VLAN > switching. So far everything seems to be working great. Windows > clients we are doing machine AND user based authentication so when the > system boots and no user is logged in the client is sitting in one of > our "prelogon" VLAN's which gives us quarantined access to the system > for updates/maintenance/pxe booting/etc as well as so the client has > IP connectivity to our Active Directory controllers. Once a user logs > into the workstation, the workstation does anther 802.1x > authentication for the user (after AD has verified a sucessful login) > and the user is placed into an appropriate VLAN with network access > based upon if they are a student or faculty/staff member. > > We're using Samba's ntlm_auth to do the integration with Active > Directory, and despite some initial worries so far it seems to be > working very good on our CentOS 5.4 systems running Radiator. > > The only issue we appear to be having is users that are able to login > to the client sucessfully, but then during the 2nd authentication > attempt by XP (the "user" authentication part) is denied, so the user > has no network access when they get to the XP desktop. Going back and > looking at ntlm_auth and manually trying it, it looks like because we > have workstation login restrictions (restrict certain user accounts so > they can only log on to specific Active Directory workstations only). > If I remove the workstation restrictions from Active Directory > everything is fine. > > I can replicate the issue using ntlm_auth from the command line: > > [t...@radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6 > --password=********* > NT_STATUS_OK: Success (0x0) > > [t...@radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6 > --password=********* --workstation=LANDESK-016703 > NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070) > > Here's the relevant section of my config: > > <AuthBy NTLM> > Identifier AD_MACHINE_AUTH-CAMPUSCTR > EAPType MSCHAP-V2 > DefaultDomain CTS-DOMAIN > AddToReply Tunnel-Type=1:VLAN,\ > Tunnel-Medium-Type=1:Ether_802,\ > Tunnel-Private-Group-ID=1:PRELOGON-SWE > </AuthBy> > > <AuthBy NTLM> > Identifier AD_USER_AUTH-CAMPUSCTR > EAPType MSCHAP-V2 > DefaultDomain CTS-DOMAIN > AddToReply Tunnel-Type=1:VLAN,\ > Tunnel-Medium-Type=1:Ether_802,\ > Tunnel-Private-Group-ID=1:Swetman > </AuthBy> > > <Handler Client-Identifier=CAMPUSCTR-SWITCHES,NAS-Port-Type=Ethernet> > <AuthBy FILE> > Filename %D/users > EAPType PEAP,MSCHAP-V2 > EAPTLS_CertificateFile > /etc/radiator/certs/ns1.oswego.edu/ns1-radius-20100817-cert.pem > EAPTLS_PrivateKeyFile > /etc/radiator/certs/ns1.oswego.edu/ns1-radius-20090818-priv.key > EAPTLS_CertificateType PEM > EAPTLS_CAFile > /etc/radiator/certs/ns1.oswego.edu/SSL123_CA_Bundle.pem > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > EAPTLS_PEAPVersion 0 > EAPAnonymous %0 > </AuthBy> > AuthLog localAuthLogger-OUTER > AcctLogFileName /var/log/radius/detail > PasswordLogFileName /var/log/radius/passwd > </Handler> > > <Handler > TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^host\//> > AuthByPolicy ContinueWhileAcceptOrChallenge > AuthBy AD_MACHINE_AUTH-CAMPUSCTR > AuthLog localAuthLogger-MACHINE > AcctLogFileName /var/log/radius/machine-detail > PasswordLogFileName /var/log/radius/machine-passwd > </Handler> > > <Handler > TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^CTS-DOMA >IN\\/> AuthBy AD_USER_AUTH-CAMPUSCTR > AuthLog localAuthLogger-USER > AcctLogFileName /var/log/radius/user-detail > PasswordLogFileName /var/log/radius/user-passwd > </Handler> > > > It looks like I may be able to work around this using the > "--workstation" option as the goodies/ntlm.cfg shows to pass the > workstation name that is trying to authenticate to ntlm_auth. But, > how am I suppose to do this as the workstation name (that the user is > currently trying to log in to) is not available in the authentication > request? Is anyone doing something similar? How were you able to get > Active Directory workstation restrictions working with your 802.1x > implemention? > > --greg > > > Gregory A. Fuller - CCNA > Network Manager > State University of New York at Oswego > Phone: (315) 312-5750 > http://www.oswego.edu/~gfuller > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
