Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4) +- entering group post-auth {...} ++[exec] returns noop } # server campus-eap Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
Bad news:
I have a multi-domain environment. If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate. How can I make it recognize the others and behave correctly?
It's fine if I have to write some code using string matching and switch/case. But I can't restrict access to only one domain.
I think you'll have to do that. The tedious bit is matching the domains in the regexps. My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary: ATTRIBUTE My-NT-Domain 3003 string ...and set this in your regexps: if (User-Name =~ /host[/].+[.]domain.com/) { update request { My-NT-Domain = "DOMAIN.COM" } } elsif (...) { } ...then in your ntlm_auth helper, do: ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."