Hello Esteemed Colleagues, I know that using samba and NTLM_auth UPN authentication is not meant to work. However, much to my embarrassment with management, it does. Sometimes. I am able to login to our WiFi with my UPN login instead of my windows login (these 2 addresses differ significantly for everyone). I cannot determine when and where it works. Sometimes it lets us through, other times denies us. Any help is appreciated. Here is the output of radiusd -X radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_always # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loaded module rlm_pap # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap pap { auto_header = no normalise = yes } # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_exec # Instantiating module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=company.net --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups" hints = "/usr/local/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints # Instantiating module "echo" from file /usr/local/etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/usr/local/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_detail # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail detail { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Loaded module rlm_mschap # Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" passchange { } allow_retry = yes } # Loaded module rlm_realm # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Instantiating module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_cache # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_logintime # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_soh # Instantiating module "soh" from file /usr/local/etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_files # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files files { filename = "/usr/local/etc/raddb/mods-config/files/authorize" usersfile = "/usr/local/etc/raddb/mods-config/files/authorize" acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy" compat = "no" } reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_chap # Instantiating module "chap" from file /usr/local/etc/raddb/mods-enabled/chap # Instantiating module "exec" from file /usr/local/etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration # Loaded module rlm_utf8 # Instantiating module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8 # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp # Loaded module rlm_expr # Instantiating module "expr" from file /usr/local/etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_eap # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 4096 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/radius.key" certificate_file = "/usr/local/etc/raddb/certs/radius.CompanyRadiusCA.pem" private_key_password = "corled" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_linelog # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog linelog { filename = "/usr/local/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" } # Loaded module rlm_unix # Instantiating module "unix" from file /usr/local/etc/raddb/mods-enabled/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } # Loaded module rlm_digest # Instantiating module "digest" from file /usr/local/etc/raddb/mods-enabled/digest # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 dir_permissions = 493 locking = no log_packet_header = no } } # modules radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf } # server server default { # from file /usr/local/etc/raddb/sites-enabled/default # Creating Auth-Type = ntlm_auth # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} # Loading virtual module ntlm_auth # Loading virtual module filter_username WARNING: Ignoring "sql" (see raddb/mods-available/README.rst) WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading virtual module acct_unique # Loading accounting {...} WARNING: Ignoring "sql" (see raddb/mods-available/README.rst) # Loading post-proxy {...} # Loading post-auth {...} WARNING: Ignoring "sql" (see raddb/mods-available/README.rst) # Loading virtual module remove_reply_message_if_eap # Loading virtual module remove_reply_message_if_eap } # server default server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading virtual module ntlm_auth WARNING: Ignoring "sql" (see raddb/mods-available/README.rst) WARNING: Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} WARNING: Ignoring "sql" (see raddb/mods-available/README.rst) } # server inner-tunnel thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 cleanup_delay = 5 max_queue_size = 65536 auto_limit_acct = no Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread 1 waiting to be assigned a request Thread spawned new child 3. Total threads in pool: 3 Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread 4 waiting to be assigned a request Thread pool initialized radiusd: #### Opening IP addresses and Ports #### Thread 5 waiting to be assigned a request listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy address * port 1814 Listening on proxy address * port 1814 Ready to process requests. Threads: total/active/spare threads = 5/0/5 And here is an example of freeradius allowing through my login with UPN: Thread 4 waiting to be assigned a request Waking up in 0.2 seconds. Thread 3 got semaphore Thread 3 handling request 16, (4 handled so far) (16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (16) authorize { (16) ntlm_auth.authorize ntlm_auth.authorize { (16) ? if (!control:Auth-Type && User-Password) (16) ? if (!control:Auth-Type && User-Password) -> FALSE (16) } # ntlm_auth.authorize ntlm_auth.authorize = notfound (16) filter_username filter_username { (16) ? if (User-Name =~ / /) (16) ? if (User-Name =~ / /) -> FALSE (16) ? if (User-Name =~ /@.*@/ ) (16) ? if (User-Name =~ /@.*@/ ) -> FALSE (16) ? if (User-Name =~ /\\.\\./ ) (16) ? if (User-Name =~ /\\.\\./ ) -> FALSE (16) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (16) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (16) ? if (User-Name =~ /\\.$/) (16) ? if (User-Name =~ /\\.$/) -> FALSE (16) ? if (User-Name =~ /@\\./) (16) ? if (User-Name =~ /@\\./) -> FALSE (16) } # filter_username filter_username = notfound (16) [preprocess] = ok (16) [chap] = noop (16) [mschap] = noop (16) [digest] = noop (16) suffix : Looking up realm "company.com" for User-Name = "sam.fakhreddine@company.com" (16) suffix : No such realm "company.com" (16) [suffix] = noop (16) eap : EAP packet type response id 226 length 96 (16) eap : Continuing tunnel setup. (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = EAP (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (16) authenticate { (16) eap : Expiring EAP session with state 0xab50bbb0aeb2a2e9 (16) eap : Finished EAP session with state 0xab50bbb0aeb2a2e9 (16) eap : Previous EAP request found for state 0xab50bbb0aeb2a2e9, released from the list (16) eap : Peer sent PEAP (25) (16) eap : EAP PEAP (25) (16) eap : Calling eap_peap to process EAP data (16) eap_peap : processing EAP-TLS (16) eap_peap : eaptls_verify returned 7 (16) eap_peap : Done initial handshake (16) eap_peap : eaptls_process returned 7 (16) eap_peap : FR_TLS_OK (16) eap_peap : Session established. Decoding tunneled attributes. (16) eap_peap : Peap state WAITING FOR INNER IDENTITY (16) eap_peap : Identity - sam.fakhreddine@company.com (16) eap_peap : Got inner identity 'sam.fakhreddine@company.com' (16) eap_peap : Setting default EAP type for tunneled EAP session. (16) eap_peap : Setting User-Name to sam.fakhreddine@company.com (16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (16) authorize { (16) ntlm_auth.authorize ntlm_auth.authorize { (16) ? if (!control:Auth-Type && User-Password) (16) ? if (!control:Auth-Type && User-Password) -> FALSE (16) } # ntlm_auth.authorize ntlm_auth.authorize = notfound (16) [chap] = noop (16) [mschap] = noop (16) suffix : Looking up realm "company.com" for User-Name = "sam.fakhreddine@company.com" (16) suffix : No such realm "company.com" (16) [suffix] = noop (16) update control { (16) Proxy-To-Realm := 'LOCAL' (16) } # update control = noop (16) eap : EAP packet type response id 226 length 31 (16) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = EAP (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (16) authenticate { (16) eap : Peer sent Identity (1) (16) eap : Calling eap_mschapv2 to process EAP data (16) eap_mschapv2 : Issuing Challenge (16) eap : New EAP session, adding 'State' attribute to reply 0x78c6265278253c43 (16) [eap] = handled (16) } # authenticate = handled (16) eap_peap : Got tunneled Access-Challenge (16) eap : New EAP session, adding 'State' attribute to reply 0xab50bbb0adb3a2e9 (16) [eap] = handled (16) } # authenticate = handled (16) Finished request 16. Thread 3 waiting to be assigned a request Sam Fakhreddine Site System Administrator Ledcor Industries Inc., Information Services 7008 Roper Road NW, Edmonton, AB T6B 3H2 p 780-395-5455 | c 780-996-0763 www.ledcor.com<http://www.ledcor.com/> FORWARD. TOGETHER.