VMware View 5.1 smsotp authentication with multiple realms [WAS: Re: Yeah, it works !!]

Thomas Glanzmann thomas at glanzmann.de
Tue Aug 28 17:49:13 CEST 2012

Hello Joël,

> jodan at otpradius:~/work/smsotpd$ ./pap_challenge_request.pl
> Enter username: dsp1A00113
> Enter password:
> server response type = Access-Challenge (11)
> Enter otp: 89003
> server response type = Access-Accept (2)

> Yeah, it works  !! The step 1 is achieved :o)

that is good to hear.

> One more question, have you setup several realms? It will be my case,
> and if you have some clues it must be a quick win.

Yes, it will work with multiple realms. There is not much that you need
to other than you need to use HINTS or any other way of rewriting in the
radius server to rewrite the username to username at REALM. The REALM has
to be written UPPERCASE otherwise it will not work. Once you have that
achieved it will works if the radius server is able to resolve the
ticket granting server for the REALM using DNS. You can use the
following command to double check:

        apt-get install dnsutils
        dig _kerberos._udp.ww004.siemens.net srv

# Exchange ww004.siemens.net with your REALM. In the DNS query the realm
# can be lowercase because DNS is case insensitive.

> So the test environnemnt is functional, and i will test it against
> view 5.1 before the end of the week if my other tasks lets me quiet
> ;o)

Let me know. VMware View 5.1 has a bug in there you need to configure it
with this option uncheck: Enforce 2-factor and Windows username
matching. Otherwise if your username contains a backslash as in
domain\username the View Client will not send the acces challenge reply.
I opened a bugreport with VMware, they have accepted it but decided not
to fix it. If you need help with VMware View let me know.


More information about the Freeradius-Users mailing list