ntlm_auth multiple nt4 domains peap xp

[Jamie Crawford]

Hi,
I have a two nt4 trusted domain infrastructure and am trying to setup freeradius to authenticate xp supplicants with peap.  I have nmbd and winbindd running correctly, and can run the ntlm_auth program with no problems.  But what I have found out is that my freeradius server is joined to the DOMAINA domain.  So when running /usr/bin/ntlm_auth --username=domainatestuser  it automatically validates the user against DOMAINA.  But if I try to run /usr/bin/ntlm_auth --username=domainbtestuser it will fail.  I have to add the --domain=DOMAINB for it to validate correctly.  

So when I use my xp supplicant to validate my user, domainatestuser (without typing in the DOMAINA), it works perfectly.  If I put in DOMAINA in the domain box, I get rejected.  If I try to validate the domainbtestuser using nothing for the domain box, I get rejected.  If I put in DOMAINB in the domain box, I get rejected.

I guess I am needing to setup realms for each domain.  How do I setup DOMAINA users to go to the DOMAINA domain controllers, and how do I setup DOMAINB users to go to DOMAINB domain controllers.  I shouldn't really have to setup to go do different domain controllers, I just need freeradius to pass on the "domain" in the ntlm_auth command.

Thanks for any help!!!!


rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3076, id=85, length=181
       NAS-IP-Address = xxx.xxx.xxx.xxx
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 1
       Framed-MTU = 1400
       User-Name = "DOMAINB\\domainbtestuser"
       Calling-Station-Id = "001217a8df41"
       Called-Station-Id = "0001f4449c4c"
       NAS-Identifier = "RoamAbout AP"
       State = 0x1ce29e6a91a9663ff39346a69f85748c
       EAP-Message = 0x020800261900170301001b4ca905292ffadaa855c356acd5417b6989915df2dd32ffdc0b08d3
       Message-Authenticator = 0x6dca7a93ca473745cab0f6a063b66d0e
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
 modcall[authorize]: module "preprocess" returns ok for request 15
 modcall[authorize]: module "mschap" returns noop for request 15
   rlm_realm: No '@' in User-Name = "DOMAINB\domainbtestuser", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 15
   rlm_realm: Looking up realm "DOMAINB" for User-Name = "DOMAINB\domainbtestuser"
   rlm_realm: No such realm "DOMAINB"
 modcall[authorize]: module "ntdomain" returns noop for request 15
 rlm_eap: EAP packet type response id 8 length 38
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 15
   users: Matched entry DEFAULT at line 152
 modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/peap
 rlm_eap: processing type peap
 rlm_eap_peap: Authenticate
 rlm_eap_tls: processing TLS
 eaptls_verify returned 7
 rlm_eap_tls: Done initial handshake
 eaptls_process returned 7
 rlm_eap_peap: EAPTLS_OK
 rlm_eap_peap: Session established.  Decoding tunneled attributes.
 rlm_eap_peap: Received EAP-TLV response.
 rlm_eap_peap: Tunneled data is valid.
 rlm_eap_peap:  Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
 rlm_eap: Failed in EAP select
 modcall[authenticate]: module "eap" returns invalid for request 15
modcall: group authenticate returns invalid for request 15
auth: Failed to validate the user.
Delaying request 15 for 1 seconds
Finished request 15
Going to the next request



Jamie Crawford, MCSE RHCT Network Analyst I
Information Services
Central Missouri State University
Warrensburg, MO 64093
Phone:6605434357 
Email:CRAWFORD at CMSU1.CMSU.EDU