michaeltone1975 <[EMAIL PROTECTED]> wrote: > using the 'nt_domain_hack = yes' results in successful ldap > authentication, however it causes eap/peap to fail.
Microsoft's PEAP client can put the NT domain into the User-Name, but *not* include it in the MS-CHAP calculation. Normal MS-CHAP includes *all* of the User-Name in it's calculation of the MS-CHAP-Response, and doesn't lie to the server. The problem also is that there are now multiple "ntdomain_hack" settings in the server. You haven't said which one you used. What you CAN do is avoid the whole issue by not referring to the User-Name attribute. Instead, use %{mschap:User-Name}. The MSCHAP module will print the users name (if there's no NT domain), or if there is an NT domain in the User-Name, will ignore it, and print just the plain name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html