On 03/23/2011 08:30 PM, Michael Lecuyer wrote:
The MSCHAPs include the given name when calculating the hashes. Stripping the domain will therefore not work. The client is using the domain\name in the hash and you're asking the server to use just the name.
Actually that's not true; the mschap "response" field is calculated with the bare username, excluding the domain. You *should* strip the domain when you pass it into ntlm_auth; but not by modifying the original username, as that makes EAP complain.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
