ntlm_auth and UPN suffix for user-name
Shawn Wilson
swilson at acs.on.ca
Fri Jun 3 21:24:31 CEST 2016
Hi, I'm trying to configure freeradius 2.x to authenticate users against 3 different domains in an active directory forest. Currently, I have the the proxy.conf file configure for each realm like so:
realm domain.name {
auth_pool = my_auth_failover
}
realm sub1.domain.name {
auth_pool = my_auth_failover
}
realm sub2.domain.name {
auth_pool = my_auth_failover
}
Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter. Everything works fine as long User-Name is in the format <username>@<my.domain.name>.
HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes. It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.
Soooo, my question is: How can I change the UPN suffixes to their corresponding domain names? I tried using preprocess and the hints file configured like this:
DEFAULT User-Name =~ "^([^@]+)@upnsuffix1.name"
User-Name := %{1}@domain.name<mailto:%25%7b1%7d at domain.name>
But that seemed to break EAP because it detected that the user-name changed.
Any help would be greatly appreciated,
Shawn
More information about the Freeradius-Users
mailing list