Some help with etc_smbpasswd auth and eap ttls

Alan DeKok aland at
Wed Jan 7 07:28:19 CET 2009

Josh Hiner wrote:
> Trying to configure eap ttls with mschapv2 using Freeradius version
> Version 1.1.3 in Redhat enterprise Linux 5.

  I suggest upgrading.  It's not hard to build an RPM of the latest
version of the server.

  Upgrading will get you a lot.

> I have configured everything and gotten free radius to authenticate off
> /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
> run into is when I switch the securew2 windows xp eap-ttls client to use
> the current logged on user credentials. Then, SecureW2 sends the
> username in the format of DOMAIN/user (which in this case is HTN/josh).
> Authentication then fails because of this extra domain part in the user.
> Ok fine, I first enable the nt_domain_hack in the mschap module then I
> configured realm ntdomain and simply set a default realm in proxy.conf
> to strip off the domain part. Nope, that fails (output will be included
> below). I also tried nostrip but that also fails obviously. Also tried
> silently stripping the domain in pre-process in radiusd.conf. Auth is
> successful but finally rejected because the user doesnt match the
> original HTN/josh user sent.

  This is fixed in 2.x.  You can have different policies for inside the
TLS tunnel and outside of it.  This makes these configurations easier.

> Anyways, anyone know of how to get etc_smbpasswd module to work. I dont
> want to use the users file (blech) even though it does work when I put
> the user in there, and again, if I just supply the username and password
> (and leave the domain part blank in SecureW2 ttls client) authentication
> does work of /etc/samba/smbpasswd.

  Honestly... there are 3-4 solutions which are trivial in 2.x.  Any
solution is hard in 1.1.3.  I don't even recall what feature set it has
(or is missing).

  Alan DeKok.

More information about the Freeradius-Users mailing list