Backslash issue during AD authetication

Jevos, Peter Peter.Jevos at oriflame.com
Fri Jul 16 14:52:34 CEST 2010 

> How can I force freradius to authenticate through domainame\username

  Get radtest to send the same data as sent by the Cisco client.  See
the server debug output in order to compare the two user names.

  Alan DeKok.


Hi Alan, I forced radtest to pass, with this syntax:

1. radtest domainame\\\\\\\username password  localhost 0 testing123
Debug is:
++[mschap] returns noop
[suffix] No '@' in User-Name = "domainname\\username", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
 [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Found Auth-Type = ntlm_auth2
+- entering group authenticate {...}
[ntlm_auth2]    expand: --username=%{mschap:User-Name} -> --username=\username
[ntlm_auth2]    expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth2] returns ok
Login OK: [domainame\\\\username] (from client localhost port 0)


2. Debug, when I use vpn cisco client with domainname\\username is the same

3. Radtest doesn't pass with less backslahes then 7 : ) ( \\\\\\\ )
radtest domainame\\\\\\username password  localhost 0 testing123

[suffix] No '@' in User-Name = "domainame\username", looking up realm NULL
........
 [ntlm_auth2]    expand: --username=%{mschap:User-Name} -> --username=username
[ntlm_auth2]    expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program: returned: 1
++[ntlm_auth2] returns reject
Failed to authenticate the user.
Login incorrect: [domainname\\username/password] (from client localhost port 0)

4. When I use only 2 backslashes:
radtest domainame\\username password  localhost 0 testing123

[suffix] No '@' in User-Name = "domainnameusername", looking up realm NULL
..............
 [ntlm_auth2]    expand: --username=%{mschap:User-Name} -> --username=domainnameusername
[ntlm_auth2]    expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program-Wait: plaintext: NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Exec-Program: returned: 1
++[ntlm_auth2] returns reject
Failed to authenticate the user.
Login incorrect: [domainnameusername/password] (from client localhost port 0)

I don’t have a problem with radtest if vpn client would authenticate with domainname\username 

Thank you

More information about the Freeradius-Users mailing list