Yes, it works on ebox-samba, even though if I restart samba, I am sure my changes will be gone.
Still it is configured only 50% to what it supposed to do.
Windows logon process in secured wireless access networks works as follows:
1. User enters credentials using GUI
2. If network connection available? If no, Perform PEAP/MSCHAPv2 authentication using station credentials. If yes, authenticate user against domain controller.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session.
As I told I made PEAP/MSCHAPv2 authentication using user credentials work:
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
expand: --username=%{mschap:User-Name:-None} -> --username=john
expand: %{mschap:NT-Domain} -> MYDOMAIN
expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap] mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
The FreeRADIUS configuration file must contain attribute rewrite rules in order to modify the incoming username into a format which matches the names in samba/ldap. Windows sends the machine name in the form host/MACHINE-NAME.DOMAIN-NAME.
I followed NOVEL guide how to strip "/host" and add "$", but so far my understanding of regex statements and unlang language is not adequate to accomplish it. As a result I cannot configured freeradius to authenticate work station.
http://www.novell.com/coolsolutions/feature/17044.html#7Fortunately, the Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic.
Which means in my case authentication still works, but it is much less secure that enterprise environment requires:
1. User enters credentials using GUI
2. If network connection available? If no, it means no domain controller is available, but user is able to logon using cached credentials.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session (Now it works as wireless connection is successfully established).
If you good as regex statements, and could fix "station" authentication, this ebox peap/mschapv2 could be rock solid even for enterprise environments.