We're currently running 2.1.10.. I seemed to notice that the "Out of the Box Config" does not seem to actually create a Stripped-Username and Realm. I did find that when I created a "real" realm in the proxy.conf file, then a Stripped-Username and Realm were available. So, I thought that if I really wanted ALL usernames "stripped" into their component parts, I would just change the example.com realm in the proxy.conf file to be "DEFAULT" ? This then seemed to send the request into some sort of endless loop ?
Thanks, Robert ________________________________________ From: freeradius-users-bounces+robert.roll=utah....@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah....@lists.freeradius.org] On Behalf Of Nolan King [nk...@mnwd.com] Sent: Friday, March 25, 2011 10:35 AM To: freeradius list Subject: Re: Strip off the domain part from the User-Name freeradius 2.1.8: My environment uses ntlm_auth and ldap modules. in mschap module, i have a line like: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-re$ also, in ldap: filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))" no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and mschap lines). I use this method to auth users connecting to wireless APs with xp, ios, linux, and win7 machines. I want users to be forced to enter their password to connect, so the clients are configured not to use the domain\username, just username and pw. Set up this way, a client sending username in domain\username form will be rejected. I am not sure this is "right", but it allows me to use mschap auth with several different types of clients, and control access with an ldap group without worrying about the domain\user nonsense. Of course, i only have a single domain which simplifies things. Nolan >>> On 3/25/2011 at 7:41 AM, in message <201103251541.07053.thomas.wun...@swt-bamberg.de>, Thomas Wunder <thomas.wun...@swt-bamberg.de> wrote: > On Friday 25 March 2011 11:15:58 you wrote: >> Use %{mschap:User-Name} everywhere; this will give the bare username > That sounds consequent but what exactly do you mean by "everywhere"? > I use the policy.conf (as you can see by the debug output from my previous > posting) to define some policies that are later on used within the 'authorize > {...}' groups of sites-available/default and sites-available/inner-tunnel. I > don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group > information from my LDAP-server. The only place where I consciously reference > any User-Name attribute is the modules/ldap and there I already do as you > suggest (see attachment). > > Where else do I need to explicitly specify '%{mschap:User-Name}' to have > rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have > rlm_mschap ignore the domain component of the user name)? > > My modules/mschap config file is pretty lucid at present: > mschap { > use_mppe = yes > require_encryption = yes > require_strong = yes > with_ntdomain_hack = no > } > > And what about the realms approach? Can I save the trouble? >> (and also correctly translate host/name.domain.com, if you later do >> machine auth) > > Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html