Hello everybody, last week I was working out a freeradius 1.1.1 + ldap with domain authentication. I got it running with the help of Phil Mayers with this configuration: authorize { preprocess ntdomain # other modules } realm MYDOMAIN { type = radius authhost = LOCAL accthost = LOCAL strip } But it didn't work till I enable ntdomain_hack in the mschap module: with_ntdomain_hack = yes The truth is I don't understand it at all. Here's my thinking: When someone is trying to authenticate and he belongs to a domain, in the request packet windows sends a string like: MYDOMAIN\\username In the authorization part, using the realm ntdomain, the server can strip the User-Name and use only username so it can find it in ldap. But when it comes to the authorization module it fails. Here's part of the log: Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) ............... rad_recv: Access-Request packet from host 192.168.51.162:1024, id=50, length=279 Acct-Session-Id = "2a6bb0b4-00000017" NAS-Port = 8 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1496 Framed-IP-Address = 255.255.255.254 User-Name = "MYDOMAIN\\prueba_freeradius" Calling-Station-Id = "00-04-23-8D-4B-0E" Service-Type = Framed-User EAP-Message = 0x02b1006c190017030100610d895f029ebe43af255559638cf1e7e9d0639a11e7d7dfec4a794bee5fbee0a2bf64947cd8a99ad354fa03d6a0913904068c58dd975f8a122a929bc477b2af67b8907c9a4c6a2765188e878ca77f07e45a5329a20fd473989289fdfe3c23eb646b State = 0x908673323bd5eac7e882e906e316049f Colubris-AVPair = "ssid=aamm" Message-Authenticator = 0x8e2b19ea1dfd0d6f0f5b4c895f619818 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\prueba_freeradius" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "prueba_freeradius" rlm_realm: Proxying request from user prueba_freeradius to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 14 radius_xlat: '/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509' rlm_detail: /usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509 modcall[authorize]: module "auth_log" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 177 length 108 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 rlm_ldap: - authorize rlm_ldap: performing user authorization for prueba_freeradius radius_xlat: '(uid=prueba_freeradius)' radius_xlat: 'ou=Central,dc=bcn,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter (uid=prueba_freeradius) rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value xxx & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user prueba_freeradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 14 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573 PEAP: Setting User-Name to MYDOMAIN\prueba_freeradius PEAP: Adding old state with dc 47 PEAP: Sending tunneled request EAP-Message = 0x02b100551a02b1005031d780cac8a727745249e57389beb21e6800000000000000004a4d93fb40b1108062905326a78ff4081fea67b75e569815004d59444f4d41494e5c7072756562615f66726565726164697573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "MYDOMAIN\\prueba_freeradius" State = 0xdc47453244df028b4a9c81ff38a17be9 Acct-Session-Id = "2a6bb0b4-00000017" NAS-Port = 8 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1496 Framed-IP-Address = 255.255.255.254 Calling-Station-Id = "00-04-23-8D-4B-0E" Service-Type = Framed-User Colubris-AVPair = "ssid=aamm" NAS-IP-Address = 192.168.51.162 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\prueba_freeradius" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "prueba_freeradius" rlm_realm: Proxying request from user prueba_freeradius to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 14 radius_xlat: '/usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509' rlm_detail: /usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius_regex/var/log/radius/radacct/127.0.0.1/auth-detail-20060509 modcall[authorize]: module "auth_log" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 177 length 85 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 rlm_ldap: - authorize rlm_ldap: performing user authorization for prueba_freeradius radius_xlat: '(uid=prueba_freeradius)' radius_xlat: 'ou=Central,dc=bcn,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter (uid=prueba_freeradius) rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value xxx & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user prueba_freeradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 14 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 14 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for MYDOMAIN\prueba_freeradius with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 14 modcall: leaving group MS-CHAP (returns reject) for request 14 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 14 modcall: leaving group authenticate (returns reject) for request 14 auth: Failed to validate the user. Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from client localhost port 8 cli 00-04-23-8D-4B-0E) PEAP: Got tunneled reply RADIUS code 3 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-CHAP-Error = "\261E=691 R=1" EAP-Message = 0x04b10004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0x8153428 3 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-CHAP-Error = "\261E=691 R=1" EAP-Message = 0x04b10004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 50 to 192.168.51.162 port 1024 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01b200261900170301001b6c9a8c161b62aec589f4a4f92e58f4c76ec7ae250761970d9213c7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa18cd510394250c8136571f619e429e0 Finished request 14 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.51.162:1024, id=36, length=209 Acct-Session-Id = "2a6bb0b4-00000017" NAS-Port = 8 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1496 Framed-IP-Address = 255.255.255.254 User-Name = "MYDOMAIN\\prueba_freeradius" Calling-Station-Id = "00-04-23-8D-4B-0E" Service-Type = Framed-User EAP-Message = 0x02b200261900170301001bd89d386a7c80dcf210c271671421915148555085d02e7c2a34149e State = 0xa18cd510394250c8136571f619e429e0 Colubris-AVPair = "ssid=aamm" Message-Authenticator = 0xacf972ea063d9318ee2b2dad1613cc3c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\prueba_freeradius" rlm_realm: Found realm "MYDOMAIN" rlm_realm: Adding Stripped-User-Name = "prueba_freeradius" rlm_realm: Proxying request from user prueba_freeradius to realm MYDOMAIN rlm_realm: Adding Realm = "MYDOMAIN" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 15 radius_xlat: '/usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509' rlm_detail: /usr/local/radius_regex/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius_regex/var/log/radius/radacct/192.168.51.162/auth-detail-20060509 modcall[authorize]: module "auth_log" returns ok for request 15 modcall[authorize]: module "chap" returns noop for request 15 modcall[authorize]: module "mschap" returns noop for request 15 rlm_realm: Request already proxied. Ignoring. modcall[authorize]: module "suffix" returns noop for request 15 rlm_eap: EAP packet type response id 178 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 rlm_ldap: - authorize rlm_ldap: performing user authorization for prueba_freeradius radius_xlat: '(uid=prueba_freeradius)' radius_xlat: 'ou=Central,dc=bcn,dc=es' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Central,dc=bcn,dc=es, with filter (uid=prueba_freeradius) rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value xxx & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user prueba_freeradius authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 15 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 15 modcall: leaving group authenticate (returns invalid) for request 15 auth: Failed to validate the user. Login incorrect: [prueba_freeradius/<no User-Password attribute>] (from client ap port 8 cli 00-04-23-8D-4B-0E) Delaying request 15 for 1 seconds Finished request 15 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 36 to 192.168.51.162 port 1024 After reading the comments of with_ntdomain_hack, what i get is this: The first time windows sends the id, the User-Name = MYDOMAIN\\username, but when he response the access-challenge the User-Name = username. I wonder why the server expects MYDOMAIN\\username. After the realm the server will only see User-Name = username in ldap-authorization. And as windows sends for replying the challenge only username, I thought this second time realm was not going to be aplicable. So I think I don't understand this operation. And as I don't understand it I can't work out a new configuration like: freeradius 1.1.1 + ldap + machine authentication. User-Name = host/username I have tried it making a new realm with this configuration radiusd.conf realm hostdm { format = prefix delimiter = "/" ignore_default = no ignore_null = no } authorize { preprocess hostdm # other modules } proxy.conf: realm host { type = radius authhost = LOCAL accthost = LOCAL strip } But I got me into the same situation as with ntdomain + with_ntdomain_hack=no. Then I try with the hints file: DEFAULT User-Name =~ "^([^/]+)/([^/]+)" User-Name := `%{2}` But the same. So I don't know what to do. Is there another feature like with_ntdomain_hack for this ? I could put some logs if needed. If there is something unintelligible please tell me, because my english is terrible, as you can notice. Thanks.