[RADIATOR] question about machine based authentication

Heikki Vatiainen hvn at open.com.au
Sat Nov 19 08:19:38 CST 2011 

On 11/19/2011 12:18 AM, Joy Veronneau wrote:

> I think I need some more help with my config. It is working ok for my
> machine cert based authentication, but only if I put the name of the
> machine in a file on the radius server. Here is my config snippet:

You could experiment using <AuthBy LDAP2>. Instead of using file as user
database, the config would lookup user (machine name) and group
information from LDAP.

See goodies/ad-ldap.cfg and goodies/ldap.cfg for hints. For example
using global catalog port and NoCheckPassword. NoCheckPassword should be
used since you are not interested in password, but attributes the
machine account has in AD.

Please let us know how it goes.
Heikki

> <AuthBy FILE>
> 
>     Identifier TLS
>     Filename %D/tls_anon
>     EAPType TLS
>     EAPTLS_CAFile /app/radius/keys/ADRootCA.pem
>     EAPTLS_CertificateFile /app/radius/keys/agate1.pem
>     EAPTLS_CertificateType PEM
>     EAPTLS_PrivateKeyFile /app/radius/keys/agate1.key
>     EAPTLS_CertificateChainFile /app/radius/keys/agate1.intermediate.pem
>     EAPTLS_MaxFragmentSize 1000
>     AutoMPPEKeys
> 
> </AuthBy>
> <Handler Aruba-Essid-Name="eduroam-test", User-Name = /^host/i>
> 
>     AuthByPolicy ContinueAlways
>     RewriteUsername s/^host\///
>     AuthBy TLS
> 
> </Handler>
> 
> 
> and %D/tls_anon contains:
> CIT-JV11GTEST2.cit.cornell.edu
> 
> I would like to avoid having to maintain all the machine names on the
> radius server. I would prefer to do some sort of NTLM auth that would
> read the machine cert and then check to see if the machine is in a
> certain group.
> 
> I tried using <AuthBy NTLM> but that really broke everything... I do
> have NTLM working for username/pw based authn but I need to do that AND
> machine based…
> 
> I'd appreciate a hint. Thanks-
> 
> Joy
> 
> On 11/10/11 5:21 PM, "Heikki Vatiainen" <hvn at open.com.au
> <mailto:hvn at open.com.au>> wrote:
> 
>     On 11/09/2011 09:46 PM, Joy Veronneau wrote:
> 
>         Is it possible for the radiator server to do machine-based
>         authentication (via certificate) to an Active Directory domain?
> 
> 
>     You may want to check if the really mean certificates, since machine
>     based authentication can work with PEAP/EAP-MSCHAP-V2 too. When the
>     machine joins to domain, a password and username is automatically
>     created and these can be used for machine based authentication. This is
>     also supported by Radiator by default too.
> 
>         I have MSCHAPv2 working to our AD domain with username/password, but
>         now someone is asking about machine-based authentication. They are
>         currently doing this with an MS radius server and would like to
>         switch to our centrally managed radius server and central AD system.
>         I know that we would have to issue a new cert to the machine
>         from the
>         central AD domain… but I'm not finding much about how to set up
>         radiator in my on-line research so far.
> 
> 
>     EAP-TLS, see goodies too, can be used here. Radiator can also do extra
>     checks for certs besides just checking if the cert is valid or not.
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list