[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Windows 10 breaks Samba/LDAP/freeradius machine credentials configuration
From: Alan DeKok <aland () deployingradius ! com>
Date: 2018-06-26 20:40:14
Message-ID: EB001305-6437-4F03-862A-750399704616 () deployingradius ! com
[Download RAW message or body]
On Jun 26, 2018, at 3:26 PM, Anthony Stuckey <anthonystuckey@gmail.com> wrote:
>
> I find it hard to believe that I'm the first person to come across this
> issue, but I have been unable to find anyone else with these exact
> questions or documentation that discusses this issue.
It looks new, unfortunately.
> It's easy to find a Microsoft document that discusses a problem that I
> don't have, it's very hard to find any document which discusses the problem
> I do have.
> https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment
>
Documentation is hard...
> We use a Samba domain controller with an LDAP backend to provide account
> services for our organization. We have a Cisco wireless lan controller
> which uses freeradius to authenticate with Windows Machine Credentials.
>
> Windows 10 sends different User-Names before and after it is joined to the
> domain, and that causes wireless authentication to fail. Previous versions
> of Windows do not have this behavior, and wireless authentication works
> perfectly.
<sigh> Microsoft finds new and interesting ways to break their software.
> Specifically, the User-Name attribute changes from User-Name =
> "host/i26171" to User-Name = "host/i26171.DOMAIN". The Samba server
> creates an ldap entry with the password attributes under the non-domain
> name, which is then not found when the credentials are presented with the
> domain attached.
You should be able to update the server config to:
a) validate that "host/i26171.DOMAIN" is from the known DOMAIN
b) set up a "realm: to strip "DOMAIN"
c) use Stripped-User-Name in the LDAP queries, instead of User-Name.
> Wed May 23 10:51:04 2018 : Info: [ldap] performing user authorization for
> host/i26171.DOMAIN
No... post the FULL debug output. Using "radiusd -X". Not "radiusd -Xx" or \
anything else.
> Wed May 23 10:51:04 2018 : Info: [ldap] WARNING: Deprecated conditional
> expansion ":-". See "man unlang" for details
>
> Wed May 23 10:51:04 2018 : Info: [ldap] ... expanding second
> conditional
>
> Wed May 23 10:51:04 2018 : Info: [ldap] expand: %{User-Name} ->
> host/i26171.DOMAIN
>
> Wed May 23 10:51:04 2018 : Info: [ldap] expand:
> (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=host/i26171.DOMAIN)
i.e. you didn't define a realm called "DOMAIN".
> Has anyone else encountered this issue, and what did you do to fix it?
No, and use realms.
> The obvious solution is to rewrite the User-Name attribute in the
> freeradius configuration, but this is seriously frowned upon by the
> freeradius developers, for reasons which are not usually made explicit
> other than vague comments that it might allow a security hole.
The various authentication protocols do hashes based on User-Name. If you rewrite \
that, the hashes will use the wrong values, and authentication will fail.
The real solution is to use realms. See proxy.conf.
realm DOMAIN {
}
should be all you need.
> Attempts to
> actually do this all seem to end in various error messages and pain.
Exactly.
> Is there any known setting for Windows 10 that will cause it to act in the
> backwards-compatible way?
Ask Microsoft how their software works. I don't have enough time in the day to \
keep up.
And, people don't seem to update the Wiki with this kind of information. I've been \
saying for many years that we accept docs from the community. If the docs are \
insufficient or missing things, well, don't blame *us* for it all. The people \
complaining about the quality of the docs usually don't update *anything* in the \
Wiki. Which means there's less sympathy for their complaints.
> Is there any documentation of why Microsoft made this change?
Pfft... that's not going to happen.
> Is this a known issue which is fixed in freeradius3/RHEL7 somehow?
It's not a FreeRADIUS issue. Everyone blames FreeRADIUS for everything, which is \
one reason I get cranky...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic