I must have NT domain hack configured wrong.

Matthew Berry matthew.william.berry at gmail.com
Mon Jun 9 02:50:40 CEST 2014

>From a fresh installation of Freeradius 2 on Ubuntu 13.10 Server, with
a single test user added to the users file, and with mschap turned on,
I've successfully received an access-accept response when testing with
radtest both on the inner tunnel port 18120 and the regular 1812 port
using mschap [1]. The test user is setup to mirror a user on a test
windows laptop, using the HOSTNAME\username convention. On my first
attempt to connect the laptop, I receive the below error about the
inner username matching neither the outer username nor the eap

Info: [files] users: Matched entry HOSTNAME\me at line 93
Info: [peap] Identity - HOSTNAME\me
ERROR: User-Name (HOSTNAME\me) is not the same as MS-CHAP Name (me)

So from what I've read this has been addressed by adding the
with_ntdomain_hack flag in the mschap module to 'yes'. However, as
shown in the referenced pastebins [2][3], it appears to have no
effect. There is one other place in the configuration where
with_ntdomian_hack is present, which is in the preprocess module,
however it specifically says in the comments not to use it. Based on
observations, it seems to strip the "HOSTNAME\\" from the username
(but not the eap identity).

I must have done something wrong when I enabled the with_ntdomain_hack
in the mschap configuration, as from my understanding that should have
caused Freeradius to account for the way Windows performs the
authentication. Is there something further I need to do?

Server: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built
on Feb 24 2014 at 15:09:01 (ubuntu package version
2.1.12+dfsg-1.2ubuntu5.1 )

End-Host: Windows 7 host, which is not part of a domain, with hostname
of HOSTNAME, with a user named 'me', who has a password 'PASSWORD'

End-Host Network Profile: Server validation turned off since test
certs are being used, "Use windows username/password" is on.

NAS: Tomato 1.28

[1] radtest log: http://pastebin.com/S5Kb1ggd
[2] with_ntdomain_hack off: http://pastebin.com/CnFcXWAX
[2] with_nt_domain_hack on: http://pastebin.com/KS8AJPbc


More information about the Freeradius-Users mailing list