> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote:
> > 1. Keeping in mind that user1 in domain1 can auth as long
> as domain1
> > isn't supplied why does supplying domain1 cause the auth to fail?
>
> Because the MS client does the MS-CHAP calculations using
> the username without the domain, but supplies the username to
> the RADIUS server WITH the domain.
>
> See the list archives for more explanations.
Ok, but isn't the "with_ntdomain_hack = yes" directive in the
raidusd.conf file suppose to correct this behavior?
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
>
> > 2. What does preprocess do with realm is strips off? I'd like to be
> > able to pass the realm as a --domain option to ntlm_auth.
>
> Read the debug log. It adds it as an attribute.
Ah yes, I see that now. New attribute is called Realm so the line in
radiusd.conf is now:
ntlm_auth = "/usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
So now my args for ntlm_auth are right, but I think something is up with
mschap still. When the Challenge or Response message is generated is it
still trying to user domain/user as the username?
>
> > 3. Why does PEAP think the username is still domain/user? I see the
> > following in the logs while running "radius -X -A"
> >
> > PEAP: Setting User-Name to UMC-USERS\dourtyb
>
> Because that's the name in the EAP identity packet. Read
> the debug log, it says this.
>
> > Should it be using Stripped-User-Name instead?
>
> No.
I'm confused on this point. When PEAP identity is set to username my
auths work. When the PEAP identity is of the form domain/user MSCHAP
fails.
Am I wrong in thinking that with the correct configuration Freeradius
will allow me to have users from all trusted domains use the MSCHAP
module for 802.1x auth? Where am I going wrong?
Thanks!
Brian Dourty
IAT Services
University of Columbia - Missouri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
