Some help with etc_smbpasswd auth and eap ttls

A.L.M.Buxey at A.L.M.Buxey at
Wed Jan 7 10:20:19 CET 2009


> I have configured everything and gotten free radius to authenticate off  
> /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have  
> run into is when I switch the securew2 windows xp eap-ttls client to use  
> the current logged on user credentials. Then, SecureW2 sends the  
> username in the format of DOMAIN/user (which in this case is HTN/josh).  
> Authentication then fails because of this extra domain part in the user.  
> Ok fine, I first enable the nt_domain_hack in the mschap module then I  
> configured realm ntdomain and simply set a default realm in proxy.conf  
> to strip off the domain part. Nope, that fails (output will be included  
> below). I also tried nostrip but that also fails obviously. Also tried  
> silently stripping the domain in pre-process in radiusd.conf. Auth is  
> successful but finally rejected because the user doesnt match the  
> original HTN/josh user sent.

you need to look at using the Sripped-User-Name rather than just the 
User-Name (because that contains the REALM/ stuff).

alternatively, you can specify in proxy.conf to proxy anything with
REALM/ to your RADIUS server with realm stripping on - this should
send the request back to your server with just User-Name plain..
but its not clean.   As Alan DeKok states, this sort of thing is very
nice in 2.x FreeRADIUS, it just works(tm)


More information about the Freeradius-Users mailing list