ntlm_auth and UPN suffix for user-name
Alan DeKok
aland at deployingradius.com
Sat Jun 4 13:49:23 CEST 2016
> On Jun 3, 2016, at 3:24 PM, Shawn Wilson <swilson at acs.on.ca> wrote:
>
> Hi, I'm trying to configure freeradius 2.x to authenticate users against 3 different domains in an active directory forest. Currently, I have the the proxy.conf file configure for each realm like so:
>
> realm domain.name {
> auth_pool = my_auth_failover
> }
You only need the "auth_pool" if you're proxying the packets. i.e. it can be deleted from the "realm" configuration.
> Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter. Everything works fine as long User-Name is in the format <username>@<my.domain.name>.
>
> HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes. It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.
What does that mean? "actual domain name" ?
> Soooo, my question is: How can I change the UPN suffixes to their corresponding domain names? I tried using preprocess and the hints file configured like this:
>
> DEFAULT User-Name =~ "^([^@]+)@upnsuffix1.name"
> User-Name := %{1}@domain.name<mailto:%25%7b1%7d at domain.name>
>
> But that seemed to break EAP because it detected that the user-name changed.
Don't modify the User-Name. Modify the arguments to ntlm_auth.
And since you've been careful to not post any examples or debug output, that's the best answer I can give.
Alan DeKok.
More information about the Freeradius-Users
mailing list