Hi, First time poster. I've been tasked with setting up a freeRADIUS (FR) server in order to join eduroam under the following conditions: authentication against Active Directory where we have two domains, the realm passed doesn't indicate the AD domain, and I can only join one domain "domainA", but there's trust between the domains. realm = user@uni.edu domainA.ad.uni.edu domainB.ad.uni.edu I've built a CentOS 7 server with FR 3.0.13 and winbind 4.8.3. Joined the server to the first domain and I'm able to authenticate users against both domains using the ntlm_auth command. As a first step, following the posted instructions "Configuring Authentication with Active Directory" I edited the mschap to use ntlm_auth setting "--domain=domainA". And I've set radiusd to run as root. Using the eapol_test program I'm able to authenticate as userA using both "-c ttls-mschap.conf" & "-c peap-mschap.conf" and I'm able to authenticate my iPad to our wireless . So far everything works as expected when setup for a single domain. file: mods-enabled/mschap mschap { ... ntlm_auth --domain=domainA ... In order to authenticate to both AD domains I followed a forum posting "PEAP and multiple domains" and created two additional domain instances for mschap in the radius.conf and updated both the default and inner-tunnels. raddb/radius.conf ... modules { $INCLUDE mods-enabled/ mschap mschap.domainA{ ntlm_auth = "/usr/bin/ntlm_auth --domain=domainA --allow-mschapv2 ... } mschap mschap.domainB{ ntlm_auth = "/usr/bin/ntlm_auth --domain=domainB --allow-mschapv2 ... } } sites-enabled/inner-tunnel (updated both default and inner-tunnel) In the "authorize section {" if mschap isn't commented out then it sets "Auth-Type = mschap". This seems contrary to the documentation within the file. Again running FR 3.0.13. Commented out mschap adding "mschap.domainA". This appears to set "Auth-Type = MS-CHAP". I'm not sure how the "Auth-Type" is determine, why one configuration results in "Auth-Type = mschap" and another "Auth-Type = MS-CHAP". aurhorized { ... # If the users are logging in with an MS-CHAP-Challenge # attribute for authentication, the mschap module will find # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' # to the request, which will cause the server to then use # the mschap module for authentication. #mschap mschap.domainA ... authenticate { ... Auth-Type MS-CHAP { # mschap group { mschap.domainA { reject = 1 ok = return } mschap.domainB { ok = return } } } # # For old names, too. # mschap In order to make it clear in the logs, I edited mods-enabled/mschap setting "--domain=FOO" in the ntml_auth command. --> eapol_test -c ttls-mshchap.conf -s testing123 ... WORKS Looking at the logs I see "Auth-Type = MS-CHAP" being set and my defined mschap.domainA module being used. Works exactly as expected using the modules I defined. If a user isn't found in domainA it then searches domainB. I can authenticate to my wireless (ssid eduroam) using an Android phone where I can set the authentication to TTLS/mschapv2. (6) Virtual server inner-tunnel received request (6) User-Name = "userA" (6) MS-CHAP-Challenge = 0x74624904a951c158262f9cd8b0abc750 (6) MS-CHAP2-Response = 0x70008158d62efd7635c9fb5b701e2fb44ee300000000000000005390d893765b4f1900adee9e21dd10f5827472b58eeb8e48 (6) FreeRADIUS-Proxied-To = 127.0.0.1 (6) server inner-tunnel { (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [chap] = noop (6) mschap.domainA: Found MS-CHAP attributes. Setting 'Auth-Type = mschap.domainA' (6) [mschap.domainA] = ok (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "userA", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) [eap] = noop (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) [pap] = noop (6) } # authorize = ok (6) Found Auth-Type = MS-CHAP (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (6) Auth-Type MS-CHAP { (6) group { (6) mschap.domainA: Creating challenge hash with username: userA (6) mschap.domainA: Client is using MS-CHAPv2 (6) mschap.domainA: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ... --> eapol_test -c peap-mschapv2.conf -s testing123 ... FAILS The above test is using mods-enabled/mschap where I've set "--domain=FOO". Tracing through the logs, it looks like the eap module is called (expected), within eap it executes the peap section (expected) which sets "default_eap_type = mschapv2". Not sure if I'm saying this correctly, but the mschapv2 section is executes using the default mschap module. (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap.domainA] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "userA", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 8 length 65 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Expiring EAP session with state 0xa3eaf94ca3e2e3ae (8) eap: Finished EAP session with state 0xa3eaf94ca3e2e3ae (8) eap: Previous EAP request found for state 0xa3eaf94ca3e2e3ae, released from the list (8) eap: Peer sent packet with method EAP MSCHAPv2 (26) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (8) eap_mschapv2: authenticate { (8) mschap: Creating challenge hash with username: userA (8) mschap: Client is using MS-CHAPv2 (8) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-FOO} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: My apologies for not posting the "radius -X" for the failed eapol_test. There are restrictions at my site about posting server logs, I'm working on it. Questions: 1) Does it look like I've made any glaring mistakes or am I on the correct path? 2) What can I do to make peap/mschap work under this circumstances? Any help is appreciated. Pete K.