Freeradius 3.0 and realms

Alan DeKok aland at
Thu Apr 2 19:47:14 CEST 2020

On Apr 2, 2020, at 12:56 PM, Anthony Stuckey <anthonystuckey at> wrote:
> Is there good documentation of the changes made to realms between
> freeradius 2 and freeradius 3?

  See raddb/README.rst

  That documents 99% of the changes.  There may be other small differences not documented, but they will be minimal.

> We're trying to get windows machine login to work, and we're having the
> same problem as before.  Once the machine is joined to the domain, Windows
> appends the domain to the machine name.  We need to strip the domain off to
> find the proper identity.

  That works the same as it did in v2.

> In freeredius 2, I was able to define a realm which did that, but that
> format no longer works for freeradius 3, and there seems to be no useful
> breadcrumb for how to create the new style realm.

  It's the same as in v2.

  The log shows no issues with realms.  It does show this:

(5) eap_peap: Got complete TLS record (7 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2  [length 0002] 
(5) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(5) eap_peap: ERROR: TLS_accept: Failed in error
(5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(5) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(5) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure

  The Windows box doesn't know about the CA used by FreeRADIUS.  It won't work until that's fixed.

  Alan DeKok.

More information about the Freeradius-Users mailing list