Hi Phil,
Forget about all that. Adding Realm's and fiddling with the packet
won't help; the check is hard-coded into the mschap module as a fairly
obvious security measure.
For example - suppose I have an environment with two separate domains:
STAFF
STUDENTS
...if the mschap module did *not* check this, I could rig my mschap
client to send:
EAP-Identity: STAFF\john
MSCHAP-Name: STUDENT\john
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it is possible to send a different Username in
EAP-Identity and MSChap Username in the same EAP session since the
second is derived from the first. I have seen such setup where you have
two domain, RADIUS would use the Realm to differentiates the two.
Is there a way we could work around this hard-coded check since in our
case, we only have "one john"?
Ah.
I had assumed the machine was a domain member, because you were
talking about machine auth (which requires domain membership). I take
it there are two sets of machines - some in the domain, some not? I
assume they all have the Novell client installed?
Correct, the machines are not member of an AD domain. However, they
have the Novell Client installed, and they are using a kind of AD tree
in their eDirectory structure. So machine auth works the same as if it
was an AD domain. The users are not member of that special tree.
Usually, people only use "send username automatically" with machines
which are in the domain. It's possible this is just a bug in Windows
XP, and that no-one else has ever tried this, so it's never been seen.
It is possible that in Windows XP, something is broken at the supplicant
level. In windows 7, the OS is brilliant enough not to send the
machine name. However, mainly 80% of his machines are Windows XP.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html