ntlm_auth and UPN suffix for user-name

Alan DeKok aland at deployingradius.com
Sat Jun 4 13:49:23 CEST 2016

> On Jun 3, 2016, at 3:24 PM, Shawn Wilson <swilson at acs.on.ca> wrote:
> Hi, I'm trying to configure freeradius 2.x to authenticate users against 3 different domains in an active directory forest.  Currently, I have the the proxy.conf file configure for each realm like so:
> realm domain.name {
>    auth_pool = my_auth_failover
> }

  You only need the "auth_pool" if you're proxying the packets.  i.e. it can be deleted from the "realm" configuration.

> Then I can pass the domain to the ntlm_auth command by using the "-domain=%{realm}" parameter.  Everything works fine as long  User-Name is in the format <username>@<my.domain.name>.
> HOWEVER, the big problem I'm encountering is that we need users to authenticate via alternate UPN suffixes.  It turns out Ntlm_auth will not authenticate against these suffixes, only the actual domain names.

  What does that mean?  "actual domain name" ?

> Soooo, my question is: How can I change the UPN suffixes to their corresponding domain names?  I tried using preprocess and the hints file configured like this:
> DEFAULT User-Name =~ "^([^@]+)@upnsuffix1.name"
>    User-Name := %{1}@domain.name<mailto:%25%7b1%7d at domain.name>
> But that seemed to break EAP because it detected that the user-name changed.

  Don't modify the User-Name.  Modify the arguments to ntlm_auth.

  And since you've been careful to not post any examples or debug output, that's the best answer I can give.

  Alan DeKok.

More information about the Freeradius-Users mailing list