> "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > > 1. Keeping in mind that user1 in domain1 can auth as long > as domain1 > > isn't supplied why does supplying domain1 cause the auth to fail? > > Because the MS client does the MS-CHAP calculations using > the username without the domain, but supplies the username to > the RADIUS server WITH the domain. > > See the list archives for more explanations.
Ok, but isn't the "with_ntdomain_hack = yes" directive in the raidusd.conf file suppose to correct this behavior? # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. > > > 2. What does preprocess do with realm is strips off? I'd like to be > > able to pass the realm as a --domain option to ntlm_auth. > > Read the debug log. It adds it as an attribute. Ah yes, I see that now. New attribute is called Realm so the line in radiusd.conf is now: ntlm_auth = "/usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" So now my args for ntlm_auth are right, but I think something is up with mschap still. When the Challenge or Response message is generated is it still trying to user domain/user as the username? > > > 3. Why does PEAP think the username is still domain/user? I see the > > following in the logs while running "radius -X -A" > > > > PEAP: Setting User-Name to UMC-USERS\dourtyb > > Because that's the name in the EAP identity packet. Read > the debug log, it says this. > > > Should it be using Stripped-User-Name instead? > > No. I'm confused on this point. When PEAP identity is set to username my auths work. When the PEAP identity is of the form domain/user MSCHAP fails. Am I wrong in thinking that with the correct configuration Freeradius will allow me to have users from all trusted domains use the MSCHAP module for 802.1x auth? Where am I going wrong? Thanks! Brian Dourty IAT Services University of Columbia - Missouri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html