Yes I do hardcode the domain into the /etc/raddb/mods-available/mschap file: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-Name}:-00} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-CFS.UOGUELPH.CA} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" If I understand correctly from other posts, if client specify a domain name, it will use that domain name regardless of the ntlm_auth configuration? As far as the client side, it is configured with cfs.uoguelph.ca domain, I am sure why it would use domain cfs. Are there any other places to check for the domain being used by machine auth? ----- Original Message ----- From: "Matthew Newton" <mcn4@leicester.ac.uk> To: dxu@uoguelph.ca, "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Tuesday, December 8, 2015 4:22:39 PM Subject: Re: Machine auth fails but user auth works On Tue, Dec 08, 2015 at 12:39:33PM -0500, Dennis Xu wrote: The EXPAND domain value from user auth is "domain=CFS.UOGUELPH.CA" which is correct, but it got "domain=cfs" in the machine auth case. I am not sure if that is important. Unless you have more than one domain, I would personally just hardcode the domain into the ntlm_auth command in the config. I do that here. It's one less thing to go wrong. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>