[RADIATOR] ntlm_auth and Active Directory Workstation Restrictions
Gregory Fuller
gregory.fuller at oswego.edu
Tue Oct 26 10:43:19 CDT 2010
Here's my problem. We are using Radiator to authentication 802.1x
wired XP/Vista/7/MacOS clients on Cisco 3750 switches using VLAN
switching. So far everything seems to be working great. Windows
clients we are doing machine AND user based authentication so when the
system boots and no user is logged in the client is sitting in one of
our "prelogon" VLAN's which gives us quarantined access to the system
for updates/maintenance/pxe booting/etc as well as so the client has
IP connectivity to our Active Directory controllers. Once a user logs
into the workstation, the workstation does anther 802.1x
authentication for the user (after AD has verified a sucessful login)
and the user is placed into an appropriate VLAN with network access
based upon if they are a student or faculty/staff member.
We're using Samba's ntlm_auth to do the integration with Active
Directory, and despite some initial worries so far it seems to be
working very good on our CentOS 5.4 systems running Radiator.
The only issue we appear to be having is users that are able to login
to the client sucessfully, but then during the 2nd authentication
attempt by XP (the "user" authentication part) is denied, so the user
has no network access when they get to the XP desktop. Going back and
looking at ntlm_auth and manually trying it, it looks like because we
have workstation login restrictions (restrict certain user accounts so
they can only log on to specific Active Directory workstations only).
If I remove the workstation restrictions from Active Directory
everything is fine.
I can replicate the issue using ntlm_auth from the command line:
[test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
--password=*********
NT_STATUS_OK: Success (0x0)
[test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
--password=********* --workstation=LANDESK-016703
NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
Here's the relevant section of my config:
<AuthBy NTLM>
Identifier AD_MACHINE_AUTH-CAMPUSCTR
EAPType MSCHAP-V2
DefaultDomain CTS-DOMAIN
AddToReply Tunnel-Type=1:VLAN,\
Tunnel-Medium-Type=1:Ether_802,\
Tunnel-Private-Group-ID=1:PRELOGON-SWE
</AuthBy>
<AuthBy NTLM>
Identifier AD_USER_AUTH-CAMPUSCTR
EAPType MSCHAP-V2
DefaultDomain CTS-DOMAIN
AddToReply Tunnel-Type=1:VLAN,\
Tunnel-Medium-Type=1:Ether_802,\
Tunnel-Private-Group-ID=1:Swetman
</AuthBy>
<Handler Client-Identifier=CAMPUSCTR-SWITCHES,NAS-Port-Type=Ethernet>
<AuthBy FILE>
Filename %D/users
EAPType PEAP,MSCHAP-V2
EAPTLS_CertificateFile
/etc/radiator/certs/ns1.oswego.edu/ns1-radius-20100817-cert.pem
EAPTLS_PrivateKeyFile
/etc/radiator/certs/ns1.oswego.edu/ns1-radius-20090818-priv.key
EAPTLS_CertificateType PEM
EAPTLS_CAFile
/etc/radiator/certs/ns1.oswego.edu/SSL123_CA_Bundle.pem
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
EAPTLS_PEAPVersion 0
EAPAnonymous %0
</AuthBy>
AuthLog localAuthLogger-OUTER
AcctLogFileName /var/log/radius/detail
PasswordLogFileName /var/log/radius/passwd
</Handler>
<Handler TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^host\//>
AuthByPolicy ContinueWhileAcceptOrChallenge
AuthBy AD_MACHINE_AUTH-CAMPUSCTR
AuthLog localAuthLogger-MACHINE
AcctLogFileName /var/log/radius/machine-detail
PasswordLogFileName /var/log/radius/machine-passwd
</Handler>
<Handler TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^CTS-DOMAIN\\/>
AuthBy AD_USER_AUTH-CAMPUSCTR
AuthLog localAuthLogger-USER
AcctLogFileName /var/log/radius/user-detail
PasswordLogFileName /var/log/radius/user-passwd
</Handler>
It looks like I may be able to work around this using the
"--workstation" option as the goodies/ntlm.cfg shows to pass the
workstation name that is trying to authenticate to ntlm_auth. But,
how am I suppose to do this as the workstation name (that the user is
currently trying to log in to) is not available in the authentication
request? Is anyone doing something similar? How were you able to get
Active Directory workstation restrictions working with your 802.1x
implemention?
--greg
Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller
More information about the radiator
mailing list