New User and AD Question

Phil Mayers p.mayers at
Wed Mar 2 15:58:41 CET 2011

> Login OK: [host/] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4)
> +- entering group post-auth {...}
> ++[exec] returns noop
> } # server campus-eap
> Sending Access-Accept of id 179 to port 20009


> Bad news:
> I have a multi-domain environment.  If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate.  How can I make it recognize the others and behave correctly?
> It's fine if I have to write some code using string matching and switch/case.  But I can't restrict access to only one domain.

I think you'll have to do that. The tedious bit is matching the domains 
in the regexps.

My advice would be to define a local, internal-only attribute in 

ATTRIBUTE	My-NT-Domain	3003	string

...and set this in your regexps:

if (User-Name =~ /host[/].+[.] {
   update request {
     My-NT-Domain = "DOMAIN.COM"
elsif (...) {

...then in your ntlm_auth helper, do:

  ntlm_auth = "... --domain=%{My-NT-Domain:-DEFAULTVALUE} ..."

More information about the Freeradius-Users mailing list