domain security problem

Hegedus Gabor hegedus.gabor at
Wed Dec 10 12:37:15 CET 2008

tnt at wrote:
>> here is the debug: (user-test- who is not in domain
> Well, he was found in AD. And in that domain. And with correct password.
hi is in the AD it is correct,

the problem is the domain

win send the
- DOMAIN\username if it is in domain,
- HOSTNAME\username if it is not in domain (only workgroup)

but when i set TEST(my domain) as hostname (it still not in domain), it 
will send this and freeradius think it is correct.

how can I config the freeradius to reject auth, when it is not in 
domain(but send domain name as hostname)

like: ntdomain or something proxy.conf  modification or hack, i  have  
no idea  what is the solution.
>> [mschap]     expand: --domain=%{mschap:NT-Domain} -> --domain=TEST
>> [mschap]     expand: --username=%{mschap:User-Name} -> --username=test
>> [mschap]  mschap2: 10
>> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 
>> Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
>> Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
>> Exec-Program: returned: 0
>> [mschap] adding MS-CHAPv2 MPPE keys
>> ++[mschap] returns ok
>> MSCHAP Success
> Ivan Kalik
> Kalik Informatika ISP
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list