ntlm_auth and UPN suffix for user-name

Shawn Wilson swilson at acs.on.ca
Fri Jun 3 21:24:31 CEST 2016

Hi, I'm trying to configure freeradius 2.x to authenticate users against 3 different domains in an active directory forest.  Currently, I have the the proxy.conf file configure for each realm like so:

realm domain.name {
    auth_pool = my_auth_failover
realm sub1.domain.name {
    auth_pool = my_auth_failover
realm sub2.domain.name {
    auth_pool = my_auth_failover

Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter.  Everything works fine as long  User-Name is in the format <username>@<my.domain.name>.

HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes.  It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.

Soooo, my question is: How can I change the UPN suffixes to their corresponding domain names?  I tried using preprocess and the hints file configured like this:

DEFAULT User-Name =~ "^([^@]+)@upnsuffix1.name"
    User-Name := %{1}@domain.name<mailto:%25%7b1%7d at domain.name>

But that seemed to break EAP because it detected that the user-name changed.

Any help would be greatly appreciated,


More information about the Freeradius-Users mailing list