Graham Marsh wrote:
Hi
Have set up freeradius on a SLES10SP1 box in order to do 802.1X
authentication. All is fine if the client submits a request using just
the user name e.g. test05 in the case below:
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: Told to do MS-CHAPv2 for test05 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 6
modcall: leaving group MS-CHAP (returns ok) for request 6
MSCHAP Success
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
However, if the user submits a request with the domain name appended
such as @xyz.edu.hk, then the request fails at the same point in the
process as shown:
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 6
modcall: leaving group authenticate (returns reject) for request 6
auth: Failed to validate the user.
Found Post-Auth-Type
Processing the post-auth section of radiusd.conf
modcall: entering group REJECT for request 6
I defined the domain suffix in the proxy conf file and set it to LOCAL
because the local server should process the requests no matter whether
the suffix is there or not.
I also tried rewriting the User-Name attribute to remove the suffix
(which is already done by Stripped-User-Name) but that caused another
problem.
You will need to strip it; what "other" problem did it cause?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html