authenticating a guest domain/ntlm_auth in a different AD

Matthew Newton mcn4 at
Thu Jan 29 18:34:53 CET 2015

On Thu, Jan 29, 2015 at 03:54:52PM +0000, Rui Ribeiro wrote:
> I would like to authenticate a guest domain in a different AD in FR3. I
> The ideia of having to mschap configurations is for calling ntlm_auth with
> a different Windows DOMAIN.


> most specifically, this not works. Is it wiser to build a new FR to the
> guest domain.

You can do it all in one copy of FreeRADIUS. No need to run it
twice. There are many ways to do this. You will need to make sure
that the AD domains trust each other as your RADIUS server will
(normally) only be joined to one domain, so will send all auth
requests to that one.

You could add something like


to your existing ntlm_auth command line, but you probably want to
do some sanity checks on the realm first in unlang.

Another method similar to how we've done here in the past would be
to define two instances of the mschap module. So in
mods-available/mschap, copy the

mschap {

section, and call it e.g.

mschap domain2 {

Update the domain2 ntlm_auth one with your new domain.

Then you need to use work out which one to use - either code this
with if() in unlang, or use the call 'suffix' in authorize{}
(which is enabled by default).

Then you should be able to update your authenticate{} section from

Auth-Type MS-CHAP {

to something like

Auth-Type MS-CHAP {
  if (Realm =~ /@my.second.realm$/) {
  else {

If you can't get it working, post the full FreeRADIUS debug output
(radiusd -X) to the list, otherwise nobody can tell what's going


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list