Re: Removing domain prefix from login
Hi list, thanks for the help. Ive fix the problem changing the following parameters: /etc/freeradius/sites-enabled/inner-tunnel:authorize: ntdomain /etc/freeradius/modules/mschap:with_ntdomain_hack = yes Now everythings is OK. Thanks for all. Regards Alejandro Gándara Junior System Administrator OptareSolutions 2011/11/11 Phil Mayers p.may...@imperial.ac.uk On 11/11/11 09:52, Alejandro Gandara wrote: this is the short view: [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the Sigh. Read this line. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/11/2011 07:46 AM, Alejandro Gandara wrote: I got erros anyways. I've attached debug output The debug output didn't make it through; I guess it was too big. Use a pastebin, or put it inline in the email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/11 Phil Mayers p.may...@imperial.ac.uk On 11/11/2011 07:46 AM, Alejandro Gandara wrote: I got erros anyways. I've attached debug output The debug output didn't make it through; I guess it was too big. Use a pastebin, or put it inline in the email? this is the short view: ++[preprocess] returns ok [ntdomain] Looking up realm OPTARE for User-Name = OPTARE\brouco [ntdomain] Found realm OPTARE [ntdomain] Adding Stripped-User-Name = brouco [ntdomain] Adding Realm = OPTARE [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap] expand: %{Stripped-User-Name} - brouco [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=brouco) [ldap] expand: dc=optare,dc=loc - dc=optare,dc=loc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=optare,dc=loc, with filter (uid=brouco) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] roomNumber - Pool-Name == infraestructuras [ldap] sambaNtPassword - NT-Password == 0x3245334230434533423046383434414238374145393237384141453730393331 [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId - Tunnel-Private-Group-Id:0 = 01 [ldap] radiusTunnelMediumType - Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType - Tunnel-Type:0 = VLAN [ldap] radiusFramedIPAddress - Framed-IP-Address = 192.45.51.9 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user brouco authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] EAP packet type response id 45 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for reject or fail. Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. SSL: Removing session 1390126992ccf15f6eca58514ff74975f8661cc927bbe3a5f0e0a52b9a310e4a from the cache [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [OPTARE\\brouco/via Auth-Type = EAP] (from client privradius port 29 cli f0-4d-a2-bc-77-cd) Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Delaying reject of request 6 for 1 seconds Thanks for the help - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/11/11 09:52, Alejandro Gandara wrote: this is the short view: [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the Sigh. Read this line. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi Alan, Thanks for your answers and excuse me for my english fill of mistakes. 2011/11/10 Alan DeKok al...@deployingradius.com Alejandro Gandara wrote: I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth Im reading about it. Thanks for this information. I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. This is my debug output: rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = SW-INT-1-3 User-Name = PRIVATE\\usertest Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = 32 Called-Station-Id = f0-62-81-05-33-40 Calling-Station-Id = f0-4d-a2-bc-77-cd Connect-Info = CONNECT Ethernet 1000Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x020a0012014f50544152455c62726f75636f Message-Authenticator = 0x055981a2c542df52f4c292042c89a019 [ldap] performing user authorization for usertest [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - usertest [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=usertest) [ldap] expand: dc=private,dc=loc - dc=private,dc=loc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.20.52.206:389, authentication 0 [ldap] bind as cn=raddbuser,dc=private,dc=loc/password to 172.20.52.206:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x3245334230434533423046383434414238374145393237384141453730393331 [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId - Tunnel-Private-Group-Id:0 = 01 [ldap] radiusTunnelMediumType - Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType - Tunnel-Type:0 = VLAN [ldap] radiusFramedIPAddress - Framed-IP-Address = 192.45.51.9 [ldap] user brouco authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] EAP packet type response id 10 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.* [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [usertest/via Auth-Type = EAP] (from client privradius port 32 cli f0-4d-a2-bc-77-cd) Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. # Executing group from file /etc/freeradius/sites-enabled/default Thanks for all Alan. Regards, Alejandro Gándara Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Alejandro Gandara wrote: This is my debug output: Well... you deleted a lot of the default configuration. It now doesn't work. I'm not sure why. Use the default configuration. It works. Change as little as possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Thanks for your answer. I think I've changed the following things to try to remove DOMAIN: ./modules/preprocess: with_ntdomain_hack = yes ./modules/mschap:with_ntdomain_hack = yes ./eap.conf: with_ntdomain_hack = yes I hope this could help, If you know more information I could give. Tell me. 2011/11/10 Alan DeKok al...@deployingradius.com Alejandro Gandara wrote: This is my debug output: Well... you deleted a lot of the default configuration. It now doesn't work. I'm not sure why. Use the default configuration. It works. Change as little as possible. Il try once more, If i do not get results, I will reinstall freeradius changing only the necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, Alejandro Gándara - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 10/11/11 08:15, Alejandro Gandara wrote: Hi Alan, Thanks for your answers and excuse me for my english fill of mistakes. 2011/11/10 Alan DeKok al...@deployingradius.com mailto:al...@deployingradius.com Alejandro Gandara wrote: I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth Im reading about it. Thanks for this information. I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. This is my debug output: rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = SW-INT-1-3 User-Name = PRIVATE\\usertest Have you edited this debug? Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = 32 Called-Station-Id = f0-62-81-05-33-40 Calling-Station-Id = f0-4d-a2-bc-77-cd Connect-Info = CONNECT Ethernet 1000Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x020a0012014f50544152455c62726f75636f This decodes as: \x02\n\x00\x12\x01OPTARE\\brouco Message-Authenticator = 0x055981a2c542df52f4c292042c89a019 Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.* This claims MSCHAP and Radius username don't match. Did you edit the debug? Don't do that. Please provide a full debug, like so: radiusd -X | tee log.txt # run a test auth # ctrl+c # email log.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Phil Mayers p.may...@imperial.ac.uk On 10/11/11 08:15, Alejandro Gandara wrote: Hi Alan, Thanks for your answers and excuse me for my english fill of mistakes. 2011/11/10 Alan DeKok al...@deployingradius.com mailto:aland@deployingradius.**com al...@deployingradius.com Alejandro Gandara wrote: I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth Im reading about it. Thanks for this information. I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. This is my debug output: rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.28 NAS-Identifier = SW-INT-1-3 User-Name = PRIVATE\\usertest Have you edited this debug? Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 32 NAS-Port-Type = Ethernet NAS-Port-Id = 32 Called-Station-Id = f0-62-81-05-33-40 Calling-Station-Id = f0-4d-a2-bc-77-cd Connect-Info = CONNECT Ethernet 1000Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 EAP-Message = 0x020a0012014f50544152455c6272**6f75636f This decodes as: \x02\n\x00\x12\x01OPTARE\\**brouco Message-Authenticator = 0x055981a2c542df52f4c292042c89**a019 Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/**default +- entering group authenticate {...} *[eap] Identity does not match User-Name, setting from EAP Identity.* This claims MSCHAP and Radius username don't match. Did you edit the debug? Don't do that. Ok sorry Please provide a full debug, like so: radiusd -X | tee log.txt # run a test auth # ctrl+c # email log.txt I've attached it - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at 20:41:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/linelog including
Re: Removing domain prefix from login
Hi, rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 snip User-Name = OPTARE\\brouco snip all okaybut then: # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap]expand: %{Stripped-User-Name} - no stripped-user-name and User-Name is brouco - but thats not what the client sent. they sent OPTARE\\brouco - so your reply reference something they didnt send. have you got 'ntdomain' module enabled in your virtual servers - just after the 'preprocess' is called? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 snip User-Name = OPTARE\\brouco I know this, thats why i need try to remove this prefix. At first i thought i could do with module/realm. But I didnt get good results. snip all okaybut then: # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[mschap] returns noop ++[digest] returns noop [ldap] performing user authorization for brouco [ldap]expand: %{Stripped-User-Name} - no stripped-user-name I think the problem is eap is looking for User-name and i need it looks for stripped and User-Name is brouco - but thats not what the client sent. they sent OPTARE\\brouco - so your reply reference something they didnt send. have you got 'ntdomain' module enabled in your virtual servers - just after the 'preprocess' is called? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, Alejandro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Ok, your debug says: rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.11 NAS-Identifier = SW-Priv-1-1 User-Name = OPTARE\\brouco snip # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok Why is preprocess returning ok. What are you doing in the hints module? Are you modifying the username field? A few lines later it says: [ldap] expand: %{User-Name} - brouco If you're modifying the username, you can't do that. It will break EAP, which is why it says: [eap] Identity does not match User-Name, setting from EAP Identity. ...then fails. I assume you want to strip DOMAIN\ so that you can do LDAP? You CANNOT modify the User-Name field. You MUST used the Stripped-User-Name field, and leave the User-Name field alone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Phil Mayers p.may...@imperial.ac.uk Ok, your debug says: rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21, length=218 Framed-MTU = 1480 NAS-IP-Address = 172.20.40.11 NAS-Identifier = SW-Priv-1-1 User-Name = OPTARE\\brouco snip # Executing section authorize from file /etc/freeradius/sites-enabled/** default +- entering group authorize {...} ++[preprocess] returns ok Why is preprocess returning ok. this is preprocess preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints # This hack changes Ascend's wierd port numberings # to standard 0-??? port numbers so that the + works # for IP address assignments. with_ascend_hack = no ascend_channels_per_line = 23 # Windows NT machines often authenticate themselves as # NT_DOMAIN\username # # If this is set to 'yes', then the NT_DOMAIN portion # of the user-name is silently discarded. # # This configuration entry SHOULD NOT be used. # See the realms module for a better way to handle # NT domains. with_ntdomain_hack = yes # Specialix Jetstream 8500 24 port access server. # # If the user name is 10 characters or longer, a / # and the excess characters after the 10th are # appended to the user name. # # If you're not running that NAS, you don't need # this hack. with_specialix_jetstream_hack = no # Cisco (and Quintum in Cisco mode) sends it's VSA attributes # with the attribute name *again* in the string, like: # # H323-Attribute = h323-attribute=value. # # If this configuration item is set to 'yes', then # the redundant data in the the attribute text is stripped # out. The result is: # # H323-Attribute = value # # If you're not running a Cisco or Quintum NAS, you don't } What are you doing in the hints module? Are you modifying the username field? A few lines later it says: [ldap] expand: %{User-Name} - brouco If you're modifying the username, you can't do that. It will break EAP, which is why it says: [eap] Identity does not match User-Name, setting from EAP Identity. ...then fails. I assume you want to strip DOMAIN\ so that you can do LDAP? You CANNOT modify the User-Name field. You MUST used the Stripped-User-Name field, and leave the User-Name field alone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 10/11/11 16:53, Alejandro Gandara wrote: # This configuration entry SHOULD NOT be used. # See the realms module for a better way to handle # NT domains. with_ntdomain_hack = yes ^^^ As per the docs. This config item should not be used, and is causing things to break. Set this back to no. Edit the proxy.conf file and add: realm OPTARE { } Then edit raddb/sites-enabled/server and add: authorize { preprocess ntdomain rest of config } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi, As per the docs. This config item should not be used, and is causing things to break. umm, wasnt there a discussion recently in which with_ntdomain_hack = yes was going to be set by default in FR 3.x ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/10/2011 10:06 PM, Alan Buxey wrote: Hi, As per the docs. This config item should not be used, and is causing things to break. umm, wasnt there a discussion recently in which with_ntdomain_hack = yes was going to be set by default in FR 3.x ? That was the option on the mschap module. That option does not modify the packet, and only controls the string that is input into the mschap challenge/response calculation. Since the RFC says that input string should always be the username without leading DOMAIN\, it seems sensible to change that default and rename the option to something like challenge_ignore_ntdomain or something. *This* option, unfortunately named the same thing, does something different - it modifies the username in the packet to remove the DOMAIN\ which is almost never a good thing, and definitely not if you're using EAP. It should probably just be removed - people can use unlang if they really want to hack away at the username. There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does something different - it strips the DOMAIN\ when proxying the mschap to a remote server. It should probably be renamed to proxy_send_domain or something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi, I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? ntdomain with the 'hack' option set to yes - Stripped-User-Name is then properly created - use that variable in the LDAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Alejandro Gandara wrote: I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html