FreeRadius multiple domains

We use freeradius to 802.1x auth our wireless users. We need to authenticate users that may be on one of two domains. We have an issue with trying to authenticate to the global catalog because we have duplicate user account names that have been created on each domain. That wasn’t my idea and it can’t be fixed, so I have to work around the issue. One way to fix the issue is to have the user append the domain when they authenticate, but we don’t want to make things harder for end users.

With freeRadius, I was able to use some freeRadius unlang. I wanted to share some of the config with you. I’m assuming you have most of your freeradius running at a point where you can authenticate against one domain via mschap. Basically my config tries to auth the user by specifying one of the domains in one mschap module and specifies the other domain in a new mschap module. If the user fails on authentication to the first domain, then the second mschap module fires off with the second domain specified.

First, I modified my mschap module found in the following directory: /etc/raddb/modules/mschap

ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain=YourFirstDomainName –challenge=%{%{mschap:Challenge}:-00} –nt-response=%{%{mschap:NT-Response}:-00}”

I then created another mschap module instance by editing radius.conf found in the following directory: /etc/raddb/radius.conf

add the following:

mschap NameOfNewModule {
with_ntdomain_hack = yes
ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain =YourSecondDomainName –challenge=%{mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00}”
}

Modify your inner-tunnel file with some freeRadius unlang found in /etc/raddb/sites-available/inner-tunnel
Add the following in the authorize { section:

Authorize{
mschap
NameOfNewModule

Then add the following unlang in the authenticate { section:

Authenticate{

Auth-Type MS-CHAP {
mschap {
reject = 2
}
if (reject) {
NameOfNewModule
}
}

2 comments

  • This article was the catalyst that got me to my solution. However, I had to make some changes to what was published here. When I followed the instructions here, the stock MSCHAP is all that would work for me even when I changed the hardcoded domain listed in the ntlm_auth string. I removed the stock mschap module and only used my added modules, and got a strange error – mcshap did not exist—– the mschap in “–challenge=%{mschap:Challenge:-00}” was an instance name. I have been able to get my main domain and the three subdomains by referencing the instance name inside each call. I am done my rollout, but have been search for the answer to this for days. Hoping to save someone else some time….

    mschap hacmschap {
    with_ntdomain_hack = yes
    ntlm_auth = “/usr/bin/ntlm_auth –request-nt-key –domain=HAC.EXAMPLE.COM –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –challenge=%{%{hacmschap:Challenge}:-00} –nt-response=%{%{hacmschap:NT-Response}:-00}”
    }

    mschap fbcmschap {
    with_ntdomain_hack = yes
    ntlm_auth = “/usr/bin/ntlm_auth –request-nt-key –domain=EXAMPLE.COM –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –challenge=%{%{fbcmschap:Challenge}:-00} –nt-response=%{%{fbcmschap:NT-Response}:-00}”
    }

    mschap cbsmschap {
    with_ntdomain_hack = yes
    ntlm_auth = “/usr/bin/ntlm_auth –request-nt-key –domain=CBS.EXAMPLE.COM –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –challenge=%{%{cbsmschap:Challenge}:-00} –nt-response=%{%{cbsmschap:NT-Response}:-00}”
    }

    mschap hbsmschap {
    with_ntdomain_hack = yes
    ntlm_auth = “/usr/bin/ntlm_auth –request-nt-key –domain=HBS.EXAMPLE.COM –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –challenge=%{%{hbsmschap:Challenge}:-00} –nt-response=%{%{hbsmschap:NT-Response}:-00}”
    }

  • Thanks Daniel. I’m glad you found the posting to be useful and that you also shared your comments.

    Take care and God bless!

Leave a Reply

Your email address will not be published. Required fields are marked *