Changing domain for ntlm_auth
Alan DeKok
aland at deployingradius.com
Wed Jan 25 12:48:18 CET 2012
NdK wrote:
> To let (most (*)) users login with their e-mail address, I'd need to
> "translate" the realm part to a domain.
I'm not sure why.
> So I added to proxy.conf :
...
> realm "~^studio\\.unibo\\.it" {
> Realm := "STUDENTI"
> }
Huh? NOTHING in the documentation or examples says that should work.
It won't work. Don't do it.
> What I thought it would do was "if user name is like '@studio.unibo.it'
> then set REALM to be local 'STUDENTI'" but obviously I was wrong...
The server documentation describes how it works. Follow the
documentation to configure it.
> Request is EAP-PEAP-MSChapv2 and the authentication oracle is an AD node
> (hence the use of ntlm_auth).
I'm not sure you can change the domain for PEAP with ntlm_auth. The
domain is *also* in the MS-CHAP data. So changing it in the arguments
to ntlm_auth will likely not work.
> If I authenticate using user at PERSONALE it works perfectly. What am I
> missing?
It doesn't work the way you think it works. It works the way it's
documented to work.
> (*) Just 'most' users since I couldn't yet find a way to use the UPN, so
> users whose UPN have been changed must login with their 'base' name.
> Don't think there's an easy fix for this, since even joined win machines
> *sometimes* refuse the changed UPN...
Have the users change their login domain.
Alan DeKok.
More information about the Freeradius-Users
mailing list