michaeltone1975 <[EMAIL PROTECTED]> wrote:
> using the 'nt_domain_hack = yes' results in successful ldap
> authentication, however it causes eap/peap to fail.
Microsoft's PEAP client can put the NT domain into the User-Name,
but *not* include it in the MS-CHAP calculation. Normal MS-CHAP
includes *all* of the User-Name in it's calculation of the
MS-CHAP-Response, and doesn't lie to the server.
The problem also is that there are now multiple "ntdomain_hack"
settings in the server. You haven't said which one you used.
What you CAN do is avoid the whole issue by not referring to the
User-Name attribute. Instead, use %{mschap:User-Name}. The MSCHAP
module will print the users name (if there's no NT domain), or if
there is an NT domain in the User-Name, will ignore it, and print just
the plain name.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
