Using ntlm_auth with AD subdomains
Alan DeKok
aland at deployingradius.com
Tue Aug 5 07:19:47 CEST 2008
Dow, Corey wrote:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{NT-Domain:-idmcorp.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Where is the NT-Domain supposed to come from?
> The bottom line when I look at radiusd -X is that the challenge fails because only idmcorp.net is applied:
...
> WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{NT-Domain}
So... there's no NT-Domain, and the idmcorp.net domain is used. This
is what you configured.
> Sorry so wordy. Can anyone think of a way to get this working for both the parent/child domains ?
Step 1: get it working from the command line with the --domain
argument. The tests you showed did *not* use the --domain argument...
yet you configured this in the mschap module.
Step 2: Get the --domain=<foo> argument to expand properly for each
domain. This involves configuring policy checks...
Alan DeKok.
More information about the Freeradius-Users
mailing list