The MSCHAPs include the given name when calculating the hashes.
Stripping the domain will therefore not work. The client is using the
domain\name in the hash and you're asking the server to use just the name.
On 3/23/2011 15:08 PM, Thomas Wunder wrote:
Hi,
I'm currently trying to configure my Win7 clients to do wired 802.1X authentication using
the credentials a user provides at the login screen. Wired 802.1X auth itself works fine
but as soon as I have it use the logon credentials (using the "Automatically use my
Windows logon name and password (and domain if any).") Windows sends User-Names like
'computername\\username'. That's normal so far I think.
To get the rlm_ldap related stuff working I simply changed my filter and groupmembership_filter
settings in modules/ldap to be "[...]uid=%{mschap:User-Name:-%{User-Name}}[...]" instead
of "[...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...]" and that works well.
But when it comes to MSCHAP authentication I've got a problem:
I get errors like
"[mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1) from
EAP-MSCHAPv2"
(...which sounds consequent) I've tried solve that problem by changing
"with_ntdomain_hack = yes" (I know you recommend against that) without any luck:
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel)
Somewhere I've read that in such a case one should use the realms concept but I
can't seem to get it working. There's an entry like
realm ntdomain {
format = prefix
delimiter = "\\"
}
in the modules/realm but what else do I need?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
