Hi All, I have an environment where I'm trying to use FreeRADIUS to authenticate with two Active Directory domains at the same time. The problem I'm encountering is that I can authenticate one domain at a time, but not both, by manipulating the ntlm_auth syntax in radiusd.conf.
For example, my parent AD domain is idmcorp.net (IDMCORP), and my subdomain is sub.idmcorp.net (SUB). The redhat linux system is joined to the parent domain and I can authenticate users via the ntlm_auth command line executable as shown. ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key --username=codo password: NT_STATUS_OK: Success (0x0) ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key --username='SUB\subusr1' password: NT_STATUS_OK: Success (0x0) I have two test systems which are Windows XP, configured for machine authentication, and each joined to one of the AD domains. The following radiusd.conf ntlm_auth configuration will allow machines in idmcorp.net to authenticate successfully, but not sub.idmcorp.net. If I change the --domain to sub.idmcorp.net, then that domain can authentication successfully but not idmcorp.net. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{NT-Domain:-idmcorp.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" The bottom line when I look at radiusd -X is that the challenge fails because only idmcorp.net is applied: radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=subusr1' WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{NT-Domain} radius_xlat: '--domain=idmcorp.net' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: b2 radius_xlat: '--challenge=f5ba542c686e9959' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=dfdebeef4582ae2ee49bba789b110a6af1507b67abc97e5e' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 I thought removing the domain argument from ntlm_auth might work, but this fails as well: radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=subusr1' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 49 radius_xlat: '--challenge=dcadf8974326b238' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=804ebd5ea2b41d58ee34f221268885086ca958434d969593' Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 Sorry so wordy. Can anyone think of a way to get this working for both the parent/child domains ? Thanks, Corey Corey Dow Security Solutions Test Engineer ProCurve Networking Hewlett-Packard Company 8000 Foothills Blvd. (MS 5549) Roseville, CA 95747 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html