On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found NT-Password
[mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP
Name (dti-dahport$) from EAP-MSCHAPv2
Ah, of course.
I think you're going to need to rewrite the User-Name attribute instead;
that check is there to prevent clients sending a User-Name that differed
from the MS-CHAP value, and circumventing authorization checks.
I will try to come up with a patch that does all this properly later
today, but this should work:
authorize {
...
if (User-Name =~ /^host\/([^.]+)/) {
update request {
User-Name := "%{1}$"
}
}
...
}
Note to the archives: This is NOT GENERAL ADVICE. This advice is
specific to the issue Francois is facing (performing machine auth with
access to the NT-Password, as opposed to via Active Directory)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
