On 02/03/11 12:41, McNutt, Justin M. wrote:
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with
NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
## NOTE THE NEXT THREE LINES:
[mschap] expand: %{User-Name:-None} ->
host/dnps-caplap-4.col.missouri.edu
As expected - User-Name expands to itself.
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
-> --username=host/dnps-caplap-4.col.missouri.edu
That is not "%{mschap:User-Name}". i.e. it's misconfigured
[mschap] expand: --domain=%{mschap:NT-Domain} -> --domain=col
Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion
assumes that in a host account of the form:
host/username.domain.com
...the old-style short domain is "domain". Of course, this falls apart
if you have a disjoint DNS/AD namespace:
host/username.subdomain.domain.com
...or if your new-style DNS domain and old-style NT domain don't match:
host/username.mycompany.com vs. NT domain of "CORP" - mycompany != CORP
The only real solution in this case is to not use the
%{mschap:NT-Domain} expansion - you can't, since there's not enough info
to get the old-style short domain name in all cases.
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = "/path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=..."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
