On 10/19/2010 10:37 PM, Cannady, Mike wrote:
Our AD (2003) setup has the domain name as "htc.com". The pre-windows 2000 domain name is "HORRY".
Uh oh. Then I think you're going to have problems. ntlm_auth when it expands %{mschap:NT-Domain} assumes that the username will be of the form: host/machinename.prewin2kname.domain.com That is, that the downlevel domain is the first component of the new domain. You can either hardcode the domain, or write some unlang/regexp to extract the domain yourself e.g. if (User-Name =~ /host\/([^.]+)\.(.+)/) { update request { User-Name = "%{1}$" Tmp-String-0 = "%{2}" } if (Tmp-String-0 =~ /.*\.htc\.com/i) { update config { My-Mschap-Domain := "HTC.COM" } } } ...and set your ntlm_auth command to contain: ... --domain=%{%{My-Mschap-Domain}:-%{mschap:NT-Domain}} ...making sure to define the My-Mschap-Domain in /etc/raddb/dictionary: ATTRIBUTE My-Mschap-Domain 3000 string TBH I'm not sure what the "right" approach for FreeRadius to take is. It's possible for the host/name syntax to contain lots of stuff e.g. DNS names which are children of (or completely unrelated to) either the downlevel or win2k-style domain. Short of hard-coding the domain or doing something like above, it's difficult to see how FreeRadius could handle this. I wonder what Microsoft NPS does?