New User and AD Question

McNutt, Justin M. McNuttJ at
Wed Mar 2 14:26:57 CET 2011

> > [mschap]        expand: 
> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->  
> --username=host/
> That is not "%{mschap:User-Name}". i.e. it's misconfigured

Actually, I tried it both ways, since the longer string shown above was the default.

> > [mschap]        expand: --domain=%{mschap:NT-Domain} ->  
> --domain=col
> Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion 
> assumes that in a host account of the form:
> host/
> ...the old-style short domain is "domain". Of course, this falls apart 
> if you have a disjoint DNS/AD namespace:
> host/
> ...or if your new-style DNS domain and old-style NT domain 
> don't match:
> host/ vs. NT domain of "CORP" - 
> mycompany != CORP

And this is the case.
	AD domain =
	NT domain = UMC-USERS

> The only real solution in this case is to not use the 
> %{mschap:NT-Domain} expansion - you can't, since there's not 
> enough info to get the old-style short domain name in all cases.
> So, in /etc/raddb/modules/mschap, set (don't include the line 
> continuation \ I've added):
>   ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
>    --username=%{mschap:User-Name} --domain=YOURDOMAIN \
>    --challenge=... --nt-response=..."

Good news:  

Login OK: [host/] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to port 20009

Bad news:

I have a multi-domain environment.  If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate.  How can I make it recognize the others and behave correctly?

It's fine if I have to write some code using string matching and switch/case.  But I can't restrict access to only one domain.


More information about the Freeradius-Users mailing list