i'm not splitting user name from realm (well i don't know), below is an example with NT-Domain expand: (not working host/host.domain.local eap/peap but works ppp authorization from all domains User-name is DOMAIN\\user and domain is correctly expanded it works also with OTHERDOMAIN\\otheruser - another trusted ads domain)
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 9 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ expand: --domain=%{mschap:NT-Domain:-DOMAIN} -> --domain=domain <--- here mschap2: fa expand: --challenge=%{mschap:Challenge:-00} -> --challenge=19601d7be2fxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=3a04766fxxxxxxxbfaedba4977c0xxxxxxx Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject </code>
and here is an example without NT-Domain expand for ntlm_auth (it is working well for only "domain.local" and "DOMAIN\\user" but not for thrusted OTHERDOMAIN\\otheruser ):
<code> server inner-tunnel { +- entering group authorize ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound rlm_realm: No '@' in User-Name = "host/somehost.domain.local", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++[control] returns noop rlm_eap: EAP packet type response id 7 length 89 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password. rlm_mschap: No Cleartext-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/somehost.domain.local with NT-Password expand: --username=%{mschap:User-Name:-None} -> --username=somehost$ mschap2: 96 expand: --challenge=%{mschap:Challenge:-00} -> --challenge=2dff1a169cxxxxx expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=7fa7664801defd917c241937bd4xxxxxxx Exec-Program output: NT_KEY: 7C54FDDBA668A77xxxxxxxx Exec-Program-Wait: plaintext: NT_KEY: 7C54FDDBA668A77Fxxxxxx Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok </code>
OK. So you need two mschap instances one for NT format (DOMAIN\\user type - with NT-Domain in ntlm_auth) and one for IPASS (host/somehost.domain.local type - without) format. Use unlang to detect the delimiter and switch the correct instance replacing mschap in authorize and inside Auth-Type MSCHAP. Ivan Kalik Kalik Informatika ISP