I do not rewrite the User-name attribute I rewrite only the Stripped-User-Name attribute with these:
attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite remove-domain-name { attribute = Stripped-User-Name searchfor = "(\.nw2\.test\.local)" searchin = packet new_attribute = no replacewith = "" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^(host/.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "^(.*[\\/]+)" replacewith = "" max_matches = 1 } This is where I use Stripped-User-Name: freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \# modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/attr_rewrite: attribute = Stripped-User-Name modules/ldap: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" The User-Name attribute is untouch. [mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from EAP-MSCHAPv2 As I mentionned before the host name (CAD08862) is not a domain name it's a computer account name. I tried with_ntdomain_hack, no luck. freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \# modules/preprocess: with_ntdomain_hack = no modules/mschap: with_ntdomain_hack = yes Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm On 05/07/2011 07:50 PM, Robert Mc Cready wrote: > The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one > problem with Windows XP clients, I get a " [mschap] ERROR: User-Name > (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from > EAP-MSCHAPv2". Users log on locally, the host name is not a domain name. > Windows 7 clients work fine because they send only the username. I do > some rewrites so I can get the username for the LDAP authentication and > the computers name for computer account authentication (I'm not familiar > with unlang yet). We use FR 2.1.10. > > Any idea how to fix this ? > You CANNOT rewrite the User-Name attribute, or you will have this problem. If you want to manipulate the username, you must do so in a separate attribute, like so: if (User-Name =~ /^(.+)\\(.+)/) { update request { Stripped-User-Name := "%{2}" } } An easier alternative is to not mangle the username at all, and instead update any string expansions to use: %{mschap:User-Name} ...including your LDAP filters. This will "just work" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6106 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6107 (20110509) __________ Le message a été vérifié par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html