I've been working on a project at work to configure FreeRADIUS with Google Authenticator for two-factor authentication purposes.
I've used this guide.
Everything's working well and I've even written scripts to generate and e-mail the QR codes to users but there's one last hurdle I'd like to overcome.
For example:
Say our AD domain is my.domain.com and I authenticate against FreeRADIUS with the username user@my.domain.com everything works fine. The problem is that our RAS solution sometimes doesn't always send the full domain to FreeRADIUS. In the logs I'd see the username as user@my (Pre-2000 domain name). Naturally this fails.
What I'm trying to achieve is to get FreeRADIUS to catch this and replace @my with @my.domain.com .
The other option is to re-configure all the RAS clients and since these are almost all used remote this would be impractical.
I'm sure FreeRADIUS can do it, can someone help me?
OK, got it.
Just in case anyone else needs to know here's what I did.
I added the following to /etc/raddb/hints (may vary by distro but I'm on CentOS 7)
DEFAULT Suffix == "@my", Strip-User-Name = No
User-Name := "%{User-Name}.domain.com"
DEFAULT User-Name !~ ".*@"
User-Name := "%{User-Name}@my.domain.com"
The first entry looks to see if the suffix is JUST @my and adds .domain.com to the username if it is.
The second entry checks to see if an @ is present and if not adds @my.domain.com to the username. This turned out to be an additional requirement not mentioned above.
Hope it's useful to someone. Works like a charm now.