New User and AD Question

Phil Mayers p.mayers at
Wed Mar 2 14:05:53 CET 2011

On 02/03/11 12:41, McNutt, Justin M. wrote:
>>> Also, here is the 'mschap' section from a recent attempt.
>> I don't see anything. Did you forget an attachment?
> Um... yeah.  I'm doing a couple of things at once.  Here it is.
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv2 for host/ with NT-Password
> [mschap]        expand: %{Stripped-User-Name} ->
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> [mschap]        expand: %{User-Name:-None} ->  host/

As expected - User-Name expands to itself.

> [mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->  --username=host/

That is not "%{mschap:User-Name}". i.e. it's misconfigured

> [mschap]        expand: --domain=%{mschap:NT-Domain} ->  --domain=col

Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion 
assumes that in a host account of the form:


...the old-style short domain is "domain". Of course, this falls apart 
if you have a disjoint DNS/AD namespace:


...or if your new-style DNS domain and old-style NT domain don't match:

host/ vs. NT domain of "CORP" - mycompany != CORP

The only real solution in this case is to not use the 
%{mschap:NT-Domain} expansion - you can't, since there's not enough info 
to get the old-style short domain name in all cases.

So, in /etc/raddb/modules/mschap, set (don't include the line 
continuation \ I've added):

  ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
   --username=%{mschap:User-Name} --domain=YOURDOMAIN \
   --challenge=... --nt-response=..."

More information about the Freeradius-Users mailing list