PEAP and multiple domains

Francois Gaudreault fgaudreault at
Mon Jul 16 17:23:07 CEST 2012

Hi David,

If your domains have trust configured (which I hope), use REALMS 
(proxy.conf).  Add the --domain %{Realm} to your ntlm_auth line, and you 
should be OK.

If you domains doesn't have a trust, then you are in trouble.  You can 
only join the server to 1 domain, so ntlm_auth will always fail for one 
of the two domain.

Hope it helps!

On 12-07-16 11:12 AM, David Aldwinckle wrote:
> Hello,
> I currently use PEAP and the mschap module to call ntlm_auth and authenticate against Active Directory. The FreeRadius server is currently joined to domain1.
> It may come about in the near future that I need to query two different domains before failing a request. Unlang says I can do this:
> redundant {
> 	mschap.domain1
> 	mschap.domain2
> }
> Where mschap.domain{1,2} are copies of the stock mschap module, with the new domain plugged in.
> Will this work? Do I need to change the Samba configuration?
> In a quick test, with the server in domain1, I ran ntlm_auth and specified domain2, which failed to authenticate the user.
> Thanks,
> Dave A.
> -
> List info/subscribe/unsubscribe? See

Francois Gaudreault, ing. jr
fgaudreault at  ::  +1.514.447.4918 (x130) ::
Inverse inc. :: Leaders behind SOGo ( and PacketFence 

More information about the Freeradius-Users mailing list