Sallee, Stephen (Jake) wrote: > Quickly, my problem is users cannot log in using usern...@domain but can > login fine with domain\username.
So... what is different in the debug log between the two requests? > One person mentioned the realms module, but when I look at it the > default conf looks fine. The delimiter is correctly set to '@'. I > tried adding my domains to the realm module by copying the default > suffix config and using my domain info but that causes FR to fail its > sanity check. Because you made some random change without understanding how the server works, or reading the documentation. > I am using MSCHAPv2 with PEAP authentication and when the user fails the > logon with usern...@domain the ntlm_auth program reports a bad password > even though the same user will have no problem with domain\username. > > Also, the FR wiki says the realms file is depreciated ... so what am I > supposed to do? Read proxy.conf. It defines the realm names. The "realms" module just searches the User-Name in various ways (suffix, prefix, ntdomain), and then sees if there is a matching realm. > What would be really great would be a script I could use to determine > the domain of the user BEFORE they reach ntlm_auth so I can prepopulate > the command with the correct domain and just forget this suffix stuff : > ) I think the best place for this would be in the mschap module but > what is the language? Would it be unlang or regular bash scripting? The default config documents how to define realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html