Il 12/02/2012 23:54, McNutt, Justin M. ha scritto: > I'm not sure why, then, but it actually does work. We have shown that with > the client configured to use "u...@e.mail.address" (where e.mail.address is > NOT the same as the AD domain), if I have FR look for 'e.mail.address' and > translate it to the correct NT domain, authentication succeeds. See Phil's answer on Feb 03 18:57 ... That's because domains (both NT-like and Kerberos-like) get stripped from crypto ops. Too bad you can't change user name when calling ntlm_auth (that's what I'd have to do for users with an UPN change).
> The user name must not be part of the crypto calculation or it would fail. > I've been able to "correct" all kinds of things in the user name and set the > domain manually to whatever I want. As long as I supply the correct password > on the client side to what I happen to know the RADIUS server has mapped my > ID to, authentication is successful. The 'user' *is* part of the crypto. '@e.mail.address' (or 'DOMAIN\') is not. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html