[RADIATOR] ntlm_auth and Active Directory Workstation Restrictions

Mike McCauley mikem at open.com.au
Tue Oct 26 16:25:30 CDT 2010


Hello Gregory,

Its true that there are no 'workstation' indications in the incoming RADIUS 
request. Further, ntlm_auth is started by Radaitor and it tries to keep using 
the same ntlm_auth process for as many auths as it can. So you cant really 
use any per-request data in the ntlm_auth command line.

Maybe, as you suggest, you need to define a 'virtual workstation' for these 
VLAN logins, and add that to the ntlm_auth command line?

Cheers.
 
On Wednesday 27 October 2010 01:43:19 am Gregory Fuller wrote:
> Here's my problem.  We are using Radiator to authentication 802.1x
> wired XP/Vista/7/MacOS clients on Cisco 3750 switches using VLAN
> switching.  So far everything seems to be working great.  Windows
> clients we are doing machine AND user based authentication so when the
> system boots and no user is logged in the client is sitting in one of
> our "prelogon" VLAN's which gives us quarantined access to the system
> for updates/maintenance/pxe booting/etc as well as so the client has
> IP connectivity to our Active Directory controllers.  Once a user logs
> into the workstation, the workstation does anther 802.1x
> authentication for the user (after AD has verified a sucessful login)
> and the user is placed into an appropriate VLAN with network access
> based upon if they are a student or faculty/staff member.
>
> We're using Samba's ntlm_auth to do the integration with Active
> Directory, and despite some initial worries so far it seems to be
> working very good on our CentOS 5.4 systems running Radiator.
>
> The only issue we appear to be having is users that are able to login
> to the client sucessfully, but then during the 2nd authentication
> attempt by XP (the "user" authentication part) is denied, so the user
> has no network access when they get to the XP desktop.  Going back and
> looking at ntlm_auth and manually trying it, it looks like because we
> have workstation login restrictions (restrict certain user accounts so
> they can only log on to specific Active Directory workstations only).
> If I remove the workstation restrictions from Active Directory
> everything is fine.
>
> I can replicate the issue using ntlm_auth from the command line:
>
> [test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
> --password=*********
> NT_STATUS_OK: Success (0x0)
>
> [test at radius-02 ~]# ntlm_auth --domain=cts-domain --username=test6
> --password=********* --workstation=LANDESK-016703
> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>
> Here's the relevant section of my config:
>
>         <AuthBy NTLM>
>                 Identifier AD_MACHINE_AUTH-CAMPUSCTR
>                 EAPType MSCHAP-V2
>                 DefaultDomain CTS-DOMAIN
>                 AddToReply      Tunnel-Type=1:VLAN,\
>                                 Tunnel-Medium-Type=1:Ether_802,\
>                                 Tunnel-Private-Group-ID=1:PRELOGON-SWE
>         </AuthBy>
>
>         <AuthBy NTLM>
>                 Identifier AD_USER_AUTH-CAMPUSCTR
>                 EAPType MSCHAP-V2
>                 DefaultDomain CTS-DOMAIN
>                 AddToReply      Tunnel-Type=1:VLAN,\
>                                 Tunnel-Medium-Type=1:Ether_802,\
>                                 Tunnel-Private-Group-ID=1:Swetman
>         </AuthBy>
>
> <Handler Client-Identifier=CAMPUSCTR-SWITCHES,NAS-Port-Type=Ethernet>
>         <AuthBy FILE>
>                 Filename %D/users
>                 EAPType PEAP,MSCHAP-V2
>                 EAPTLS_CertificateFile
> /etc/radiator/certs/ns1.oswego.edu/ns1-radius-20100817-cert.pem
>                 EAPTLS_PrivateKeyFile
> /etc/radiator/certs/ns1.oswego.edu/ns1-radius-20090818-priv.key
>                 EAPTLS_CertificateType  PEM
>                 EAPTLS_CAFile
> /etc/radiator/certs/ns1.oswego.edu/SSL123_CA_Bundle.pem
>                 EAPTLS_MaxFragmentSize 1000
>                 AutoMPPEKeys
>                 EAPTLS_PEAPVersion 0
>                 EAPAnonymous %0
>         </AuthBy>
>         AuthLog localAuthLogger-OUTER
>         AcctLogFileName /var/log/radius/detail
>         PasswordLogFileName /var/log/radius/passwd
> </Handler>
>
> <Handler
> TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^host\//>
> AuthByPolicy ContinueWhileAcceptOrChallenge
>         AuthBy AD_MACHINE_AUTH-CAMPUSCTR
>         AuthLog localAuthLogger-MACHINE
>         AcctLogFileName /var/log/radius/machine-detail
>         PasswordLogFileName /var/log/radius/machine-passwd
> </Handler>
>
> <Handler
> TunnelledByPEAP=1,Client-Identifier=CAMPUSCTR-SWITCHES,User-Name=/^CTS-DOMA
>IN\\/> AuthBy AD_USER_AUTH-CAMPUSCTR
>         AuthLog localAuthLogger-USER
>         AcctLogFileName /var/log/radius/user-detail
>         PasswordLogFileName /var/log/radius/user-passwd
> </Handler>
>
>
> It looks like I may be able to work around this using the
> "--workstation" option as the goodies/ntlm.cfg shows to pass the
> workstation name that is trying to authenticate to ntlm_auth.  But,
> how am I suppose to do this as the workstation name (that the user is
> currently trying to log in to) is not available in the authentication
> request?  Is anyone doing something similar?  How were you able to get
> Active Directory workstation restrictions working with your 802.1x
> implemention?
>
> --greg
>
>
> Gregory A. Fuller - CCNA
> Network Manager
> State University of New York at Oswego
> Phone: (315) 312-5750
> http://www.oswego.edu/~gfuller
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list