Hi, I had a look at this issue with him since he is one of our client. Machine authentications are working flawlessly, windows 7 authentication as well (no hostname is sent with the username). The problem is when the HOSTNAME is sent along with the username under windows XP. I tried to set a realm specially for this HOSTNAME, but we got the same error.
Well... re-writing the names in the "inner-tunnel" server is breaking authentication.
We don't. The sites configuration are very straightforward (almost default), no fency rewrites in the default or the inner-tunnel.
*Why* are you re-writing them? What do you expect to do with the names? Why isn't there another way to achieve the same goal?
We do not rewrite anything. LDAP authorization passes properly, but when EAP authentication kicks in, we have this MS-CHAP error. We are using mschap:user-name in the LDAP filter and in the ntlm_auth line. Again, we are *NOT* rewriting the User-Name.
We need other ideas here. -- Francois Gaudreault, ing. jr Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
