Re: Error: User-Name is not the same as MS-CHAP name

Mon, 30 May 2011 05:05:09 -0700 

Hi Phil,
Forget about all that. Adding Realm's and fiddling with the packet won't help; the check is hard-coded into the mschap module as a fairly obvious security measure. 

For example - suppose I have an environment with two separate domains:

STAFF
STUDENTS


...if the mschap module did *not* check this, I could rig my mschap 
client to send:


EAP-Identity: STAFF\john
MSCHAP-Name: STUDENT\john


There's no guarantee that STAFF\john and STUDENT\john at the same 
person; you can't just ignore the fact that the client has changed 
their username.



True.  But I don't think it is possible to send a different Username in 
EAP-Identity and MSChap Username in the same EAP session since the 
second is derived from the first.  I have seen such setup where you have 
two domain, RADIUS would use the Realm to differentiates the two.



Is there a way we could work around this hard-coded check since in our 
case, we only have "one john"?




Ah.


I had assumed the machine was a domain member, because you were 
talking about machine auth (which requires domain membership). I take 
it there are two sets of machines - some in the domain, some not? I 
assume they all have the Novell client installed?

Correct, the machines are not member of an AD domain.  However, they 
have the Novell Client installed, and they are using a kind of AD tree 
in their eDirectory structure.  So machine auth works the same as if it 
was an AD domain.  The users are not member of that special tree.





Usually, people only use "send username automatically" with machines 
which are in the domain. It's possible this is just a bug in Windows 
XP, and that no-one else has ever tried this, so it's never been seen.

It is possible that in Windows XP, something is broken at the supplicant 
level.  In windows 7,  the OS is brilliant enough not to send the 
machine name.  However, mainly 80% of his machines are Windows XP.



--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html























					Reply via email to