I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board.
Brian D. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Monday, May 03, 2004 1:07 PM > To: [EMAIL PROTECTED] > Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question.... > > "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]> wrote: > > To clarify things here, the --domain and --username arguments are > > right, but the --challenge argument is incorrect. > > Ah, OK. > > > The username being used in this function still contains the DOMAIN! > > This is what is keeping the auth from working. I've added debug > > statements to my code. Its using the domain/user. This won't work. > > Then the "with_ntdomain_hack" should be set... > > > I can't change the client. I can change freeradius. The client > > presents freeradius with a domain/username. We all know > that is the case. > > Yes, that's a problem. The client is *lying* to FreeRADIUS. > > > The challenge and nt-response are both hashes based in part on the > > username. The username that freeradius uses when it generates these > > hashes is the full username, not the stripped username. > This is what > > is causing my problem. > > > > Now, the question is how to go about fixing the problem. > > Theoretically, using "with_ntdomain_hack" should help. > > Hmm... the code you pointed out does appear to ignore > "with_ntdomain_hack". I'll fix that. See tomorrow's CVS snapshot. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > >
with_ntdomain_hack.patch
Description: with_ntdomain_hack.patch