Freeradius using Windows Login Name


#1

Hi,

I’m configuring my wireless device to use UCS Freeradius as authentication server for my users. I can setup the freeradius just fine and then test it with success with one problem, I can’t use the option “Automatically use my Windows logon name and password”.

Our users are using UCS as their computer’s login server and can login just fine.

I trace the problem and this is what I found:

  • If I login to my wireless using my username only i.e : user.account and its password, i can log in to the wireless successfully
  • If I login to my wireless using the domain name as configured above i.e : using DOMAINuser.account and its password, I can’t log in or failed.

here is the log from freeradius when it failed:
Mon Dec 19 14:49:49 2016 : Auth: Login incorrect: [host/laptop.example.com/] (from client AP01 port 1 cli 00-1e-65-01-a3-4c)
Mon Dec 19 14:50:15 2016 : Auth: Login incorrect (mschap: External script says ): [DOMAIN\user.test/] (from client AP01 port 0 via TLS tunnel)
Mon Dec 19 14:50:15 2016 : Auth: Login incorrect: [DOMAIN\user.test/] (from client AP01 port 1 cli 00-1e-65-01-a3-4c)

and this is when it is successfully log in
Mon Dec 19 15:43:57 2016 : Auth: Login OK: [user.test] (from client AP01 port 0 via TLS tunnel)
Mon Dec 19 15:43:57 2016 : Auth: Login OK: [user.test] (from client AP01 port 1 cli 00-1e-65-01-a3-4c)

I also found this when running freeradius -X command:
Module: Linked to module rlm_realm
Module: Instantiating module “ntdomain” from file /etc/freeradius/modules/realm
realm ntdomain {
format = “prefix”
delimiter = “”
ignore_default = no
ignore_null = no
}

I notice that the delimiter configuration is wrong, it should be “” instead of “”

Is there something that I’ve to configure in the freeradius or UCS console itself?

We are using Cisco Wireless Controller and Cisco Aironet 3502 Access Point and I’m experience network engineer and I can confirm that the wireless controller is configured correctly.

Your help is much appreciated.


#2

did you already come across this resource: http://wiki.univention.de/index.php?title=RADIUS ?


#3

Hey,

[quote=“syahreza”]Module: Instantiating module “ntdomain” from file /etc/freeradius/modules/realm
realm ntdomain {
format = “prefix”
delimiter = “”
ignore_default = no
ignore_null = no
}[/quote]

In my default configuration for FreeRadius that configuration file does include a delimiter. Here’s what the “ntdomain” realm in my “realm” file looks like:

realm ntdomain { format = prefix delimiter = "" }

So I’d suggest you edit “/etc/freeradius/modules/realm” and verify your “ntdomain” realm looks exactly like this. Yes, the double backslash is correct as a single backslash is used as an escape character in that file format.

Afterwards restart “freeradius -X” and try again.

Kind regards,
mosu