Oh, and as a side note, you need to be using today's snapshot. There was a fix in the rlm_mschap module on Jan 27th that fixed it trying to use the Stripped-User-Name attribute when there was one. Then, there was a typo fix yesterday. Compile today's snapshot and see if it starts working for you.
--Mike On Tue, 2004-02-03 at 15:21, Michael Griego wrote: > On Tue, 2004-02-03 at 14:50, Michael Gernoth wrote: > > I think the peap-module needs to use the username without the domain > > for authentication. > > Not true... The PEAP module (Especially if you're using EAP-MSCHAPv2 as > the inner EAP method) MUST use the full Identity/UserName as sent by the > supplicant. If it doesn't, then the MSCHAP handshake will fail as the > usernames won't match (see many discussions on this list about problems > with MS-CHAP and stripped-user-name versus original user-name) > > > > Trying to define a (local) Realm for my domain works a bit, but the PEAP- > > Module still uses the User-Name Attribute and not the > > Stripped-User-Name, so authentication fails there again. (With the > > same errors you have) > > I need to authenticate the user michael against the stored PW and not > > the user MARVIN\michael which seems to happen. Stripped-User-Name in > > this case is just "michael". > > I have not found any way to tell the peap-module to use the Stripped- > > Username (maybe i am just to dumb). > > Again, the PEAP module MUST base its authentication (actually, the > rlm_eap_mschapv2 module) on the ORIGINAL Identity as sent by the > client. This is used as part of the CHAP handshake. > > > > > Trying to use hints gets me the same error I posted previously with my > > try with_ntdomain_hack (rlm_eap: Identity does not match User-Name, > > setting from EAP Identity.). > > Don't use with_ntdomain_hack. > > > > I currently have no idea how to really strip off the domain from the > > username to make authentication work with unaltered current cvs > > freeradius-sources. (See my mail from january how it is currently > > working here with_ntdomain_hack and a small patch against eap.c) > > The real question here is which authorize methods are you using? It > sounds to me like whatever authorize method you're using isn't finding > the entry for that user. If you're using "files", then it should work. > If you're using SQL, LDAP, or some other data source to pull the user > information (such as the cleartext or NT-Password), make sure it's > searching for the user based on the Stripped-User-Name attribute and not > the User-Name attribute. -- --Mike ----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
