[RADIATOR] ntlm_auth and Active Directory Workstation Restrictions

Gregory Fuller gregory.fuller at oswego.edu
Tue Oct 26 10:43:19 CDT 2010 

Here's my problem.  We are using Radiator to authentication 802.1x
wired XP/Vista/7/MacOS clients on Cisco 3750 switches using VLAN
switching.  So far everything seems to be working great.  Windows
clients we are doing machine AND user based authentication so when the
system boots and no user is logged in the client is sitting in one of
our "prelogon" VLAN's which gives us quarantined access to the system
for updates/maintenance/pxe booting/etc as well as so the client has
IP connectivity to our Active Directory controllers.  Once a user logs
into the workstation, the workstation does anther 802.1x
authentication for the user (after AD has verified a sucessful login)
and the user is placed into an appropriate VLAN with network access
based upon if they are a student or faculty/staff member.

We're using Samba's ntlm_auth to do the integration with Active
Directory, and despite some initial worries so far it seems to be
working very good on our CentOS 5.4 systems running Radiator.

The only issue we appear to be having is users that are able to login
to the client sucessfully, but then during the 2nd authentication
attempt by XP (the "user" authentication part) is denied, so the user
has no network access when they get to the XP desktop.  Going back and
looking at ntlm_auth and manually trying it, it looks like because we
have workstation login restrictions (restrict certain user accounts so
they can only log on to specific Active Directory workstations only).
If I remove the workstation restrictions from Active Directory
everything is fine.

I can replicate the issue using ntlm_auth from the command line:

[test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
--password=*********
NT_STATUS_OK: Success (0x0)

[test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
--password=********* --workstation=LANDESK-016703
NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)

Here's the relevant section of my config:

        <AuthBy NTLM>
                Identifier AD_MACHINE_AUTH-CAMPUSCTR
                EAPType MSCHAP-V2
                DefaultDomain CTS-DOMAIN
                AddToReply      Tunnel-Type=1:VLAN,\
                                Tunnel-Medium-Type=1:Ether_802,\
                                Tunnel-Private-Group-ID=1:PRELOGON-SWE
        </AuthBy>

        <AuthBy NTLM>
                Identifier AD_USER_AUTH-CAMPUSCTR
                EAPType MSCHAP-V2
                DefaultDomain CTS-DOMAIN
                AddToReply      Tunnel-Type=1:VLAN,\
                                Tunnel-Medium-Type=1:Ether_802,\
                                Tunnel-Private-Group-ID=1:Swetman
        </AuthBy>

<Handler Client-Identifier=CAMPUSCTR-SWITCHES,NAS-Port-Type=Ethernet>
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP,MSCHAP-V2
                EAPTLS_CertificateFile
/etc/radiator/certs/ns1.oswego.edu/ns1-radius-20100817-cert.pem
                EAPTLS_PrivateKeyFile
/etc/radiator/certs/ns1.oswego.edu/ns1-radius-20090818-priv.key
                EAPTLS_CertificateType  PEM
                EAPTLS_CAFile
/etc/radiator/certs/ns1.oswego.edu/SSL123_CA_Bundle.pem
                EAPTLS_MaxFragmentSize 1000
                AutoMPPEKeys
                EAPTLS_PEAPVersion 0
                EAPAnonymous %0
        </AuthBy>
        AuthLog localAuthLogger-OUTER
        AcctLogFileName /var/log/radius/detail
        PasswordLogFileName /var/log/radius/passwd
</Handler>

<Handler TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^host\//>
        AuthByPolicy ContinueWhileAcceptOrChallenge
        AuthBy AD_MACHINE_AUTH-CAMPUSCTR
        AuthLog localAuthLogger-MACHINE
        AcctLogFileName /var/log/radius/machine-detail
        PasswordLogFileName /var/log/radius/machine-passwd
</Handler>

<Handler TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^CTS-DOMAIN\\/>
        AuthBy AD_USER_AUTH-CAMPUSCTR
        AuthLog localAuthLogger-USER
        AcctLogFileName /var/log/radius/user-detail
        PasswordLogFileName /var/log/radius/user-passwd
</Handler>


It looks like I may be able to work around this using the
"--workstation" option as the goodies/ntlm.cfg shows to pass the
workstation name that is trying to authenticate to ntlm_auth.  But,
how am I suppose to do this as the workstation name (that the user is
currently trying to log in to) is not available in the authentication
request?  Is anyone doing something similar?  How were you able to get
Active Directory workstation restrictions working with your 802.1x
implemention?

--greg


Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller

More information about the radiator mailing list