I have found a working solution for my environment and wanted to share it with the list in case it may help someone else. In my proxy.conf file I added the following ------------------ realm domainName1 { } Realm domainName2{ } ------------------ That fixed my realm problem, not sure why... We use Microsoft AD and ntlm_auth for authenticating our users through MSCHAPv2 tunneled through a peap session. I have 2 domains one is a child of the other the FreeRADIUS server is joined to the parent domain so it can authenticate users from both domains but passing the correct domain for the user request was a bugger! In the end what I got to work was modifying the ntlm_auth statement at the bottom of the mschap module to be the following: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" *** --domain=%{outer.request:Realm} was the key, now the realm of the request is passed to the ntlm_auth script perfectly and the user is authenticated like we all love them to be : ) This does seem to break the domain\username style of logging in though ... but due to time constraints this will have to do for now. Thanks to everyone who everyone who helped out, especially Alan. Thank you. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 10, 2010 3:42 PM To: FreeRadius users mailing list Subject: Re: Suffix authentication Sallee, Stephen (Jake) wrote:
Quickly, my problem is users cannot log in using username@domain but can login fine with domain\username.
So... what is different in the debug log between the two requests?
One person mentioned the realms module, but when I look at it the default conf looks fine. The delimiter is correctly set to '@'. I tried adding my domains to the realm module by copying the default suffix config and using my domain info but that causes FR to fail its
sanity check.
Because you made some random change without understanding how the server works, or reading the documentation.
I am using MSCHAPv2 with PEAP authentication and when the user fails the logon with username@domain the ntlm_auth program reports a bad password even though the same user will have no problem with domain\username.
Also, the FR wiki says the realms file is depreciated ... so what am I
supposed to do?
Read proxy.conf. It defines the realm names. The "realms" module just searches the User-Name in various ways (suffix, prefix, ntdomain), and then sees if there is a matching realm.
What would be really great would be a script I could use to determine the domain of the user BEFORE they reach ntlm_auth so I can prepopulate the command with the correct domain and just forget this suffix stuff : ) I think the best place for this would be in the mschap module but what is the language? Would it be unlang or regular bash scripting?
The default config documents how to define realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sallee, Stephen (Jake) wrote:
I have found a working solution for my environment and wanted to share it with the list in case it may help someone else.
In my proxy.conf file I added the following ------------------ realm domainName1 { }
Realm domainName2{ }
The "Realm domainName2" configuration is ignored, and does nothing. Delete it.
------------------
That fixed my realm problem, not sure why...
Because the documentation says this is how realms are configured.
We use Microsoft AD and ntlm_auth for authenticating our users through MSCHAPv2 tunneled through a peap session. I have 2 domains one is a child of the other the FreeRADIUS server is joined to the parent domain so it can authenticate users from both domains but passing the correct domain for the user request was a bugger! In the end what I got to work was modifying the ntlm_auth statement at the bottom of the mschap module to be the following:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
*** --domain=%{outer.request:Realm} was the key, now the realm of the request is passed to the ntlm_auth script perfectly and the user is authenticated like we all love them to be : )
Or, you can set "copy_request_to_tunnel" in eap.conf. But it *is* odd that the inner and outer user names have different realms. As always, running in debugging mode would let you know what's going on. But you haven't posted that, so... Alan DeKok.
participants (2)
-
Alan DeKok -
Sallee, Stephen (Jake)