Active Directory / Freeradius / ntlm_auth / mail attribute

active-directoryfreeradiusntlmradius

I am currently configuring a linux server with Freeradius to have our clients authenticate against our Active Directory for our WiFi-network.

The goal is to have our users use the e-mail address that is present the Active Directory as the 'mail' attribute and their domain password to authenticate to the WiFi network.

The format of our AD naming is as follows

name: Joe Jonssen
username: foo\jjon1
UPN: jjon1@foo.bar.lan
mail address: j.jonssen@company.com

I currently have ntlm_auth working and am able to login with jjon1 and the password. But we want to login with j.jonssen@company.com and the password.

Is there any way to achieve this, I am not bound to Freeradius as Radius server. We need to use our mail address as username for the WiFi network because we are thinking about joining an initiative like Eduroam and logging in with mail address is required.

Best Answer

You can find out the Username/sAMAccountName by starting a LDAP query to the AD and then performing the NTLM-Authentication.

A very basic bash script mail_to_username (without any input filter) would look like this:

#!/bin/bash

MAIL=$1
NTDOMAIN=$2
CHALLENGE=$3
NTRESPONSE=$4

HOST="ldap://ip-adress"
BASE_DN="OU=Users,DC=example,DC=de"
BIND_DN="LDAP-freeradius@example.de"
PASSWORD="x"
FILTER="mail=$MAIL"

sAMAccountName=`ldapsearch -LLL -x -D "$BIND_DN" -w "$PASSWORD" -b "$BASE_DN" -H "$HOST" "$FILTER" sAMAccountName | grep sAMAccountName | awk '{print $2}'`

/usr/bin/ntlm_auth --request-nt-key --username=$sAMAccountName --domain=$NTDOMAIN --challenge=$CHALLENGE --nt-response=$NTRESPONSE

inside the mschap-module you call the bash-script instead of calling directly ntlm_auth:

ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} %{mschap:NT-Response:-00}"

Related Solutions

Security – Configuring WPA2-Enterprise with Freeradius

This is more of an answer to the comments than the question, but putting it here so I can format it:

You could use the DEFAULT entry in your users file along with a huntgroup to match users based on the username provided.

First step would be to run radiusd in debug mode radiusd -X and capture the format which the username comes in as when it's authenticating as the logged in user, iirc it's something like /hostname$/account.

You can then specify the huntgroup in $raddbdir/huntgroups using a regular expression:

badusers User-Name =~ ^aregex.*$

Then add the huntgroup to a rule with an access-reject return type in the users file.

DEFAULT Huntgroup-Name == badusers, Auth-Type := Reject

Whether this will cause Windows to prompt for a username and password depends on your NAS and the Windows WPA supplicant.

Wifi – Configure FreeRADIUS with Active Driectory allow specific group of users to authenticate

Basically there are two steps to authenticate and authorize users using FreeRADIUS on an Active Directory:

Samba and the ntlm_auth tool (authentication)
LDAP (authorization).

The authorization part will give you more configuration possibilities will support matching on groups as

configured in your FreeRADIUS configuration. By default the group membership check is disabled by default.

You will need to enable it and configure the LDAP connection.

Make sure you use the ldap directive in the authorize stanza of the configuration, and not in the authenticate stanza. In the authenticate stanza ntlm_auth should be used.

After this is set up you will need to restrict the usage to specific users using the users config file:

DEFAULT Auth-Type = ntlm_auth, LDAP-Group = "myfavoriteusers"

Best Answer

Related Solutions

Security – Configuring WPA2-Enterprise with Freeradius

Wifi – Configure FreeRADIUS with Active Driectory allow specific group of users to authenticate

Related Topic