Are possible multiple ntdomain realms??????

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 7 21:28:21 CEST 2006 

wekz wrote:
> And if they are, what efect has with_ntdomain_hack=yes. Does it affect 
> to all??
> 
> Well, Hi you all I hope haven't been too direct ;)
> 
> I'll getting more troubles as I do more complex configurations.
> 
> I ask this because first I had to authenticate users by machine 
> authentication. The users in this case sends User-Name like 
> host/username and the only way I found for working this out was to use 
> ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack. 
> The other options stripes the User-Name but then packets doesn't match 
> EAP-Identity ( at least one of them ), that is why I used ntdomain, for 

Yes, this is a pain. The correct thing to do is below

> being able to use with_ntdomain_hack.

FreeRadius 1.1.0 has code to do this for you - it will take names of the 
form "host/blah" and turn them into "blah$" *IF* you are using the 
"%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone, 
meaning EAP carries on working.

> 
> Now I've got pda-users that sends domain\username and if I don't use 
> ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple 
> ntdomains are allowed and how.

Again, this is annoying.

The best way I've found is to have this:

proxy.conf (contains only "real" domains)

realm THEDOMAINNAME {
   type = radius
   authhost = LOCAL
   accthost = LOCAL
   # see [1] for strip
   strip
}

realm DEFAULT {
   type = radius
   authhost = LOCAL
   accthost = LOCAL
   # see [1] for strip
   strip
}

realm NULL {
   type = radius
   authhost = LOCAL
   accthost = LOCAL
   # see [1] for strip
   strip
}

radiusd.conf (portions omitted):

modules {
   mschap {
     authtype = MS-CHAP
     with_ntdomain_hack = yes
     # this all goes on one line
     # see [2] for mschap:User-Name
     ntlm_auth = "/path/ntlm_auth --request-nt-key \
       --username=%{mschap:User-Name} \
       --challenge=%{mschap:Challenge:-00} \
       --nt-response=%{mschap:NT-Response:-00}"
   }

   realm ntdomain {
     format = prefix
     delimiter = "\\"
     ignore_default = no
     ignore_null = no
   }
}

authorize {
   preprocess
   ntdomain
   eap
   mschap
}

The various bits ensure:

  1. "strip" in the realms means there is always a realm-free 
"%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches.

  2. The "with_ntdomain_hack" create an mschap:User-Name variable which 
will always have the domain stripped correctly - "dom\user" goes to 
"user", and "host/machine" goes to "machine$"

> 
> Any method or idea will be welcome.
> 
> Thanks
> 
> 
> ------------------------------------------------------------------------
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list