Authorization?? pb Authentication against AD

Reveal MAP revealmapp at
Fri Jun 27 17:56:24 CEST 2008

I am Sorry,
I have a little problem with english, and i know it might be annoying for you! but i am not sure to understand what you are adcing me right now.

1- um.. using "mschap:User-Name" 
            (how can i do that? in radiusd.conf, mschap section? or in ntlm_ath configuration files?)

2- using Stripped-User-Name
       * activating the ntdomain hack is needed in this case, 
        * enabling prefix domain module

(I repeat to be sure that you get what i understood).
I am not yet so familiar with that parameters of FR althouht it is not so magic.

so here is a part of my Radiusd.conf: (section mschap) and i think i did well but worries about the ntlm_command (commented) on there. could you just put me on the lane?

mschap {
        # if use_mppe is not set to no mschap will
        # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
        # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
        use_mppe = no

        # if mppe is enabled require_encryption makes
        # encryption moderate
        require_encryption = yes

        # require_strong always requires 128 bit key
        # encryption
        require_strong = yes

        # Windows sends us a username in the form of
        # DOMAIN\user, but sends the challenge response
        # based on only the user portion.  This hack
        # corrects for that incorrect behavior.
        with_ntdomain_hack = yes

        # The module can perform authentication itself, OR
        # use a Windows Domain Controller.  This configuration
        # directive tells the module to call the ntlm_auth
        # program, which will do the authentication, and return
        # the NT-Key.  Note that you MUST have "winbindd" and
        # "nmbd" running on the local machine for ntlm_auth
        # to work.  See the ntlm_auth program documentation
        # for details.
        # Be VERY careful when editing the following line!
        # You can also try setting the user name as:
        #    ... --username=%{mschap:User-Name} ...
        # In that case, the mschap module will look at the User-Name
        # attribute, and do prefix/suffix checks in order to obtain
        # the "best" user name for the request.
        #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

but that command (above) is not what you're telling freeradius to do.
look at the output from FR and note the differences. as Iven has stated,
you will need to use EITHER  mschap:User-Name, OR carry on using Stripped-User-Name
but activate the ntdomain hack and enable prefix doamin module - or
stripped-user-name will still be wrong!

List info/subscribe/unsubscribe? See

Envoyez avec Yahoo! Mail. Une boite mail plus intelligente
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list