On Jan 17, 2019, at 9:56 AM, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
It's for a govroam RADIUS - locally it needs to authenticate against AD. 95% of the users are in one container, 5% in another. Ideal world I'd like 100% of users to be able to authenticate, I'd be delighted to get 95% working and move the other 5% to be in the same container...
RADIUS realm = example.com AD domains = a.example.com & b.example.com
If I use ntlm_auth from the command line of the RADIUS server and explicitly specify the domain a.example.com then authentication is successful. If I use ntlm_auth from the command line of the RADIUS server and don't specify the domain a.example.com then authentication is unsuccessful.
If I use a radius client user@example.com and user is valid in AD domain a.example.com then FR returns
(7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (7) mschap: External script failed (7) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (7) mschap: ERROR: MS-CHAP2-Response is incorrect
The short answer there is to fix AD so that it looks users up in the right domain... it should be able to do this.
My supposition is that I'm not passing the correct AD domain to authenticate but I cannot fathom where I need to modify the config to make that translation.
A better question is what is the "correct" AD domain? How do you know which user is in which domain? i.e. can *FreeRADIUS* tell which user is in which domain? If so, the configuration should be simple. If not, it gets a lot more complex. Alan DeKok.