Use: --username=%{mschap:User-Name}
and it should work. Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, "Vieri" <[EMAIL PROTECTED]> piše: >--- On Thu, 10/2/08, Vieri <[EMAIL PROTECTED]> wrote: > >> I'm running freeradius-2.0.5 on Linux. >> >> My setup is as follows: >> >> Windows Vista native client - Linksys AP - FreeRadius Linux >> server (PEAP/mschapv2) - Active Directory Windows server >> >> Everything works smoothly with the following ntlm_auth >> parameters in the mschap module: >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> However, user authentication is rejected when I add the >> --domain parameter: >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --domain=%{mschap:NT-D >> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> (from the Windows Vista client I obviously set the DOMAIN >> filed; besides, if I run the freeradius daemon with debug >> enabled I see that it "correclty" reeives >> 'DOMAIN\username') >> >> For starters, I don't understand why authentication >> fails if I add --domain. How can I find out why? >> >> Then, adding --require-membership-of with or without >> --domain also fails. >> >> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >> --domain=%{mschap:NT-D >> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}} >> --require-membership-of='DOMAIN\\WIFI' >> --challenge=%{mschap:Challenge:-00} >> --nt-response=%{mschap:NT-Response:-00}" >> >> Finally, running ntlm_auth from the command line yields: >> >> # ntlm_auth --request-nt-key --domain=DOMAIN >> --username=myuser >> --require-membership-of='DOMAIN\\WIFI' >> password: >> NT_STATUS_OK: Success (0x0) > >I found this in the radiusd debug log: > >[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237) > Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID! > >so I removed the '' in the ntlm_auth string like this: > >ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key >--username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN >--require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} >--nt-response=%{mschap:NT-Response:-00}" > >and now it works. > >So this leads me to ask how I can specify group names with spaces such as >'WIFI 1'. > >Also, I had to specify the domain explicitly either via --domain=DOMAIN or >--domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication >succeeds only if the client does NOT specify a domain in the domain or user >field. >So I'm attaching some debug outputs with the hope that someone can shed some >light on this aspect which I obviously don't grasp. > >Thanks, > >Vieri > > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html