"Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > Ok, but isn't the "with_ntdomain_hack =3D yes" directive in the > raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the "with_ntdomain_hack" isn't being used. Why would it? You're passing the exact attributes you want to ntlm_auth. If you don't like the attributes, change them. Why would we need another configuration option to do the same thing? > So now my args for ntlm_auth are right, but I think something is up with > mschap still. If the arguments to ntlm_auth are right, then it should work. > When the Challenge or Response message is generated is it > still trying to user domain/user as the username? Ask the client, not FreeRADIUS. And when you're using ntlm_auth, *you* configure it to use "domain\user", or just "user". So to answer your question on FreeRADIUS's side, go back and read your configuration. > I'm confused on this point. When PEAP identity is set to username my > auths work. When the PEAP identity is of the form domain/user MSCHAP > fails. Yes. This is the problem. But it has nothing to do with PEAP. > Am I wrong in thinking that with the correct configuration Freeradius > will allow me to have users from all trusted domains use the MSCHAP > module for 802.1x auth? Where am I going wrong? Yes. I don't know where you're going wrong. It may be the client. You have debug output which runs ntlm_auth. Try cutting & pasting those commands into the command-line, and running them there. Play games with "domain\user" and "users", until you get something that works. There's no point trying to configure FreeRADIUS to do the "right" thing, when you don't even know what the "right" thing is. Find that out first, and THEN configure the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
