On 05/29/2011 03:10 PM, Francois Gaudreault wrote:
Hi Phil,
On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes to that)
This is obviously broken, but here's where I get confused: STIC08862
doesn't look like a domain name to me. It looks like a machine name.
It is indeed a machine name. This is where we have problems, this does
not happen using Windows 7. I tried to set a Realm for that machine name
without success. The thing I don't understand is why MSCHAP complains
about that. I mean, correct me if I am wrong, mschap:User-Name will
*always* strip that part since it looks like a domain.
Forget about all that. Adding Realm's and fiddling with the packet won't
help; the check is hard-coded into the mschap module as a fairly obvious
security measure.
For example - suppose I have an environment with two separate domains:
STAFF
STUDENTS
...if the mschap module did *not* check this, I could rig my mschap
client to send:
EAP-Identity: STAFF\john
MSCHAP-Name: STUDENT\john
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed their
username.
Is the machine a domain member or not? Is the user logging on locally
or with a domain account? Or is this an artefact of the way Novell works?
The machine is not member of the domain, and the user logs in Novell. So
when the user logs in, it sends the username information to RADIUS just
like if a local user logs in.
Ah.
I had assumed the machine was a domain member, because you were talking
about machine auth (which requires domain membership). I take it there
are two sets of machines - some in the domain, some not? I assume they
all have the Novell client installed?
What happens if you take an ordinary machine, without the Novell
client installed, create a local user with the same username/password
as a domain user, then use "send username automatically"
We tried it, and the machine appears to be sending the machine name
anyway. It will work only if we don't send the credentials automatically.
Usually, people only use "send username automatically" with machines
which are in the domain. It's possible this is just a bug in Windows XP,
and that no-one else has ever tried this, so it's never been seen.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
