If the User-Name is being rewritten it is not intentional. Now, I reinstalled from scratch, save the default configuration, join the server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and inner-tunnel and ran diff. I can see in the debug output of the server that User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm freeradius:/etc # diff -qr raddb raddefault Files raddb/clients.conf and raddefault/clients.conf differ Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ Files raddb/modules/ldap and raddefault/modules/ldap differ Files raddb/modules/mschap and raddefault/modules/mschap differ Files raddb/sites-available/inner-tunnel and raddefault/sites-available/inner-tunnel differ Files raddb/sites-enabled/inner-tunnel and raddefault/sites-enabled/inner-tunnel differ ---------------------------------------------------------------------------- ----------------- freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf 206,209d205 < client 10.0.0.0/8 { < secret = testing123 < shortname = net1 < } ---------------------------------------------------------------------------- ---------------- freeradius:/etc # diff raddb/modules/attr_rewrite raddefault/modules/attr_rewrite 32,65d31 < < attr_rewrite copy.user-name { < attribute = Stripped-User-Name < new_attribute = yes < searchfor = "" < searchin = packet < replacewith = "%{User-Name}" < } < < attr_rewrite remove-domain-name { < attribute = Stripped-User-Name < searchfor = "(\.test\.local)" < searchin = packet < new_attribute = no < replacewith = "" < } < < attr_rewrite add-dollar-sign { < attribute = Stripped-User-Name < searchfor = "^(host/.*)" < searchin = packet < new_attribute = no < replacewith = "%{1}$" < } < < attr_rewrite strip-realm-name { < attribute = Stripped-User-Name < new_attribute = no < searchin = packet < searchfor = "^(.*[\\/]+)" < replacewith = "" < max_matches = 1 < } < ---------------------------------------------------------------------------- -------------- freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap 33,36c33,36 < server = "10.220.7.7" < identity = "cn=tics,o=test" < password = ldappass < basedn = "o=test" --- > server = "ldap.your.domain" > #identity = "cn=admin,o=My Org,c=UA" > #password = mypass > basedn = "o=My Org,c=UA" 77,79c77,78 < #start_tls = no < start_tls = yes < port=636 --- > start_tls = no > 118c117 < password_attribute = nspmPassword --- > 124c123 < edir_account_policy_check = yes --- > edir_account_policy_check = no ---------------------------------------------------------------------------- ------------------------------ freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap 37c37 < with_ntdomain_hack = yes --- > 65,66c65 < #ntlm_auth = "/path/to/nitlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" < ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" --- > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ---------------------------------------------------------------------------- ---------------------------- freeradius:/etc # diff raddb/sites-available/inner-tunnel raddefault/sites-available/inner-tunnel 48,52d47 < if (User-Name !~ /^host\//) { < update control { < MS-CHAP-Use-NTLM-Auth := no < } < } 97,101c92 < copy.user-name < remove-domain-name < add-dollar-sign < strip-realm-name < ntdomain --- > # ntdomain 151c142 < ldap --- > # ldap 239,241c230,232 < Auth-Type LDAP { < ldap < } --- > # Auth-Type LDAP { > # ldap > # } 299c290 < ldap --- > # ldap 311d301 < ldap ---------------------------------------------------------------------------- ---------------------------- Robert Mc Cready wrote: > I do not rewrite the User-name attribute I rewrite only the > Stripped-User-Name attribute with these: No. Go READ the debug log you posted. The "inner-tunnel" virtual server gets: Sending tunneled request EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ... FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "CAD08862\\ldapuser" You then RE-WRITE the User-Name. Don't do that. As you were told, re-writing the User-Name for EAP is wrong. Don't do it. > The User-Name attribute is untouch. You can believe what you *think* happens. Or you can believe the debug output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________ Information provenant d'ESET NOD32 Antivirus, version de la base des signatures de virus 6110 (20110510) __________ Le message a ete verifie par ESET NOD32 Antivirus. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html