Suffix authentication

Alan DeKok aland at deployingradius.com
Tue Aug 10 22:41:53 CEST 2010


Sallee, Stephen (Jake) wrote:
> Quickly, my problem is users cannot log in using username at domain but can
> login fine with domain\username.

 So... what is different in the debug log between the two requests?

> One person mentioned the realms module, but when I look at it the
> default conf looks fine.  The delimiter is correctly set to '@'.  I
> tried adding my domains to the realm module by copying the default
> suffix config  and using my domain info but that causes FR to fail its
> sanity check.

  Because you made some random change without understanding how the
server works, or reading the documentation.

> I am using MSCHAPv2 with PEAP authentication and when the user fails the
> logon with username at domain the ntlm_auth program reports a bad password
> even though the same user will have no problem with domain\username.
> 
> Also, the FR wiki says the realms file is depreciated ... so what am I
> supposed to do?

  Read proxy.conf.  It defines the realm names.  The "realms" module
just searches the User-Name in various ways (suffix, prefix, ntdomain),
and then sees if there is a matching realm.

> What would be really great would be a script I could use to determine
> the domain of the user BEFORE they reach ntlm_auth so I can prepopulate
> the command with the correct domain and just forget this suffix stuff :
> )  I think the best place for this would be in the mschap module but
> what is the language?  Would it be unlang or regular bash scripting?

  The default config documents how to define realms.

  Alan DeKok.



More information about the Freeradius-Users mailing list