Suffix authentication

Alan DeKok aland at deployingradius.com
Wed Aug 11 08:59:36 CEST 2010


Sallee, Stephen (Jake) wrote:
> I have found a working solution for my environment and wanted to share
> it with the list in case it may help someone else.
> 
> In my proxy.conf file I added the following
> ------------------
> realm domainName1 {
> }
> 
> Realm  domainName2{
> }

  The "Realm domainName2" configuration is ignored, and does nothing.
Delete it.

> ------------------
> 
> That fixed my realm problem, not sure why...

  Because the documentation says this is how realms are configured.

> We use Microsoft AD and ntlm_auth for authenticating our users through
> MSCHAPv2 tunneled through a peap session.  I have 2 domains one is a
> child of the other the FreeRADIUS server is joined to the parent domain
> so it can authenticate users from both domains but passing the correct
> domain for the user request was a bugger! In the end what I got to work
> was modifying the ntlm_auth statement at the bottom of the mschap module
> to be the following:
> 
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
> --domain=%{outer.request:Realm}  --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> 
> *** --domain=%{outer.request:Realm} was the key, now the realm of the
> request is passed to the ntlm_auth script perfectly and the user is
> authenticated like we all love them to be : )

  Or, you can set "copy_request_to_tunnel" in eap.conf.

  But it *is* odd that the inner and outer user names have different realms.

  As always, running in debugging mode would let you know what's going
on.  But you haven't posted that, so...

  Alan DeKok.



More information about the Freeradius-Users mailing list