Freeradius + AD authentication passing Domain+User

Enrico Polesel epol.lists at gmail.com
Thu Jun 22 16:46:50 CEST 2017


Hi all,

On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland at deployingradius.com>
wrote:

> >
> > Sending Access-Request of id 220 to 127.0.0.1 port 1812
> >        User-Name = "alejandro at domain.com <alcabrera at g-bapro.net>"
>
>   Is the account in AD called "alejandro at domain.com"?  Or is it just
> alejandro ?
>
>   Again... if you're testing a user in AD, you just need to test with the
> username that's in AD.  There is simply no reason to do anything else.
>

Remember that AD has TWO usernames: the sAMAccountName (old style NetBios)
and the userPrincipalName (new style, kerberos), the latest also includes
the domain.

BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure
to pass that name and not the new userPrincipalName.

Cheers,
Enrico


More information about the Freeradius-Users mailing list