I'm not sure why, then, but it actually does work. We have shown that with the client configured to use "user@e.mail.address" (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. The user name must not be part of the crypto calculation or it would fail. I've been able to "correct" all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. --J From: Phil Mayers <p.mayers@imperial.ac.uk<mailto:p.mayers@imperial.ac.uk>> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> Date: Fri, 3 Feb 2012 12:48:30 +0000 To: <freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>> Subject: Re: Multi-domain AD and Users Who Aren't So Bright On 02/02/2012 05:33 PM, NdK wrote: Il 02/02/2012 13:35, McNutt, Justin M. ha scritto: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct "DOM\user" format. Or make 'em use their institutional email address. Easier to remember :) This doesn't work, unless username == email local part. Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName. Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: response = crypto(challenge, e.mail@domain.com<mailto:e.mail@domain.com>, password) Let's assume you map email -> username on your radius servers: Real-Username = some_lookup(User-Name) ...and you then call ntlm_auth, this basically asks the domain controllers: is_valid(Real-Username, challenge, response) The domain controllers do this: expected_response = crypto(challenge, samaccountname, stored_password) if response != expected_response: error else success See the problem? The domain controller performs its crypto calculation on the samaccountname. The client performs its crypto on the email addresses. The results differ, and authentication fails. Basically, usernames != email address, unless you MAKE them the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html