New User and AD Question

McNutt, Justin M. McNuttJ at
Wed Mar 2 13:38:50 CET 2011

> In the most recent debug I see you posted (16:36 yesterday) 
> it's failing 
> because:
> [eap] Request is supposed to be proxied to Realm $2.  Not doing EAP.
> ++[eap] returns noop
> You tried to use a regexp to parse the username (usually a mistake IMHO) 
> and put the "domain" bit into the "Proxy-To-Realm" attribute but 
> Proxy-To-Realm instructs the server to do just that - which cancels 
> local authentiction.

Agreed.  I commented all that back out this morning while pursuing the mschap possibility.

> Reading back through the thread, it seems like there is some confusion 
> between "domain" in the Windows NT/Active Directory sense, and "domain" 
> as a "Realm", which is a concept used in Radius proxying.
> I'm going to take a guess and assume you don't really need to do 
> proxying, and were just trying to use the "realm" module to strip off 
> the "host/" bits, and have gotten a bit tangled.


> Make sure you're using "%{mschap:User-Name}" everywhere that NT domain 
> usernames might exist - in the "ldap" module filter, for starters.

That's the thing.  There isn't anywhere else to set it, that I can see.

> At this point, you may find it easier to revert to the default configs 
> and start from scratch, one change at a time and keeping the 
> configs in version control.

That's another thing.  I specifically created this setup by doing:

cd /etc/raddb/sites-available
cp default campus-eap

And then making only the necessary changes to make it work.  Anything I've changed was done by commenting out the original, copying that line(s), and making changes.  I have changed very, very little from the default.


More information about the Freeradius-Users mailing list