On Tue, 2004-02-03 at 14:50, Michael Gernoth wrote: > I think the peap-module needs to use the username without the domain > for authentication.
Not true... The PEAP module (Especially if you're using EAP-MSCHAPv2 as the inner EAP method) MUST use the full Identity/UserName as sent by the supplicant. If it doesn't, then the MSCHAP handshake will fail as the usernames won't match (see many discussions on this list about problems with MS-CHAP and stripped-user-name versus original user-name) > Trying to define a (local) Realm for my domain works a bit, but the PEAP- > Module still uses the User-Name Attribute and not the > Stripped-User-Name, so authentication fails there again. (With the > same errors you have) > I need to authenticate the user michael against the stored PW and not > the user MARVIN\michael which seems to happen. Stripped-User-Name in > this case is just "michael". > I have not found any way to tell the peap-module to use the Stripped- > Username (maybe i am just to dumb). Again, the PEAP module MUST base its authentication (actually, the rlm_eap_mschapv2 module) on the ORIGINAL Identity as sent by the client. This is used as part of the CHAP handshake. > Trying to use hints gets me the same error I posted previously with my > try with_ntdomain_hack (rlm_eap: Identity does not match User-Name, > setting from EAP Identity.). Don't use with_ntdomain_hack. > I currently have no idea how to really strip off the domain from the > username to make authentication work with unaltered current cvs > freeradius-sources. (See my mail from january how it is currently > working here with_ntdomain_hack and a small patch against eap.c) The real question here is which authorize methods are you using? It sounds to me like whatever authorize method you're using isn't finding the entry for that user. If you're using "files", then it should work. If you're using SQL, LDAP, or some other data source to pull the user information (such as the cleartext or NT-Password), make sure it's searching for the user based on the Stripped-User-Name attribute and not the User-Name attribute. -- --Mike ----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
