FreeRADIUS - Empty MS-CHAP Name when authentication computers
by Superspeed500 from LinuxQuestions.org on (#6ETTG)
Hi.
I use FreeRADIUS at home for authenticating and authorizing most of my endpoints connecting to my home wireless network.
All of my main computers are domain-joined to a SAMBA AD domain. The Samba AD domain consist of two domain controllers. Both of the domain controllers are running FreeRADIUS and NTLM_AUTH is configured to authentication while LDAP is used for fetching information about group memberships and such.
I am currently working on a setup where the domain-joined computers should use Computer authentication when not logged in and user-authentication when logged in.
My issue is that all of my computers are using the format DOMAIN\computername$ to log in when network is configured to use computer- or user-authentication.
Another intersting thing is that some of the computers will use host/computername$ to login when set to computer authentication only. That works fine, except for the fact that only one of the groups gets fetched by LDAP. User authentication work without any issues for the syntax username and DOMAIN\username. The fetching of groups also works flawlesly with user authentication.
What I did notice on the test computer when running freeradius -X is that the field MS-CHAP Name is empty when computers authenticate using the domain part.
Code:mschap: WARNING: User-Name (PROD\S500-X220I-WIN$) is not the same as MS-CHAP Name () from EAP-MSCHAPv2While it is not empty when no domain is specified and the prefix "host/" is there.
Code:mschap: Creating challenge hash with username: host/s500-x220i-win.prod.superspeed500.netSo what I am struggelig to understand is:
- What would cause the MS-CHAP name to be empty?
- Is there any way to get FreeRADIUS to pouplate it when missing?
Thanks in advance.
FreeRADIUS version: 3.0.21
Samba version: 4.13.13-Debian
Server OS name and version: Debian GNU/Linux 11 (bullseye)
I use FreeRADIUS at home for authenticating and authorizing most of my endpoints connecting to my home wireless network.
All of my main computers are domain-joined to a SAMBA AD domain. The Samba AD domain consist of two domain controllers. Both of the domain controllers are running FreeRADIUS and NTLM_AUTH is configured to authentication while LDAP is used for fetching information about group memberships and such.
I am currently working on a setup where the domain-joined computers should use Computer authentication when not logged in and user-authentication when logged in.
My issue is that all of my computers are using the format DOMAIN\computername$ to log in when network is configured to use computer- or user-authentication.
Another intersting thing is that some of the computers will use host/computername$ to login when set to computer authentication only. That works fine, except for the fact that only one of the groups gets fetched by LDAP. User authentication work without any issues for the syntax username and DOMAIN\username. The fetching of groups also works flawlesly with user authentication.
What I did notice on the test computer when running freeradius -X is that the field MS-CHAP Name is empty when computers authenticate using the domain part.
Code:mschap: WARNING: User-Name (PROD\S500-X220I-WIN$) is not the same as MS-CHAP Name () from EAP-MSCHAPv2While it is not empty when no domain is specified and the prefix "host/" is there.
Code:mschap: Creating challenge hash with username: host/s500-x220i-win.prod.superspeed500.netSo what I am struggelig to understand is:
- What would cause the MS-CHAP name to be empty?
- Is there any way to get FreeRADIUS to pouplate it when missing?
Thanks in advance.
FreeRADIUS version: 3.0.21
Samba version: 4.13.13-Debian
Server OS name and version: Debian GNU/Linux 11 (bullseye)