Changing domain for ntlm_auth

Alan DeKok aland at
Wed Jan 25 12:48:18 CET 2012

NdK wrote:
> To let (most (*)) users login with their e-mail address, I'd need to
> "translate" the realm part to a domain.

  I'm not sure why.

> So I added to proxy.conf :
> realm "~^studio\\.unibo\\.it" {
>     Realm := "STUDENTI"
> }

  Huh?  NOTHING in the documentation or examples says that should work.
   It won't work.  Don't do it.

> What I thought it would do was "if user name is like ''
> then set REALM to be local 'STUDENTI'" but obviously I was wrong...

  The server documentation describes how it works.  Follow the
documentation to configure it.

> Request is EAP-PEAP-MSChapv2 and the authentication oracle is an AD node
> (hence the use of ntlm_auth).

  I'm not sure you can change the domain for PEAP with ntlm_auth.  The
domain is *also* in the MS-CHAP data.  So changing it in the arguments
to ntlm_auth will likely not work.

> If I authenticate using user at PERSONALE it works perfectly. What am I
> missing?

  It doesn't work the way you think it works.  It works the way it's
documented to work.

> (*) Just 'most' users since I couldn't yet find a way to use the UPN, so
> users whose UPN have been changed must login with their 'base' name.
> Don't think there's an easy fix for this, since even joined win machines
> *sometimes* refuse the changed UPN...

  Have the users change their login domain.

  Alan DeKok.

More information about the Freeradius-Users mailing list