On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
> expand: --username=%{mschap:User-Name:-None} -> --username=t...@abc.ac.uk
...
> Exec-Program output: Logon failure (0xc00004f)
> How can I fix the problem of authentication users that type
> in there local realm @abc.ac.uk with their username as well as proxing eduroam
> users?
> Basically, how do I authenticate local user or stripe local
> realm before pass to active directory for authentication?
Use unlang to strip the realm off, something like this before the call to eap:
if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {
update request {
Stripped-User-Name := "%{1}"
}
if ("%{3}") {
update request {
Realm := "%{3}"
}
}
else {
# this will reject requests that have no realm
reject
}
}
Then in your mschap module config use Stripped-User-Name instead of User-Name,
e.g.
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk
--username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Matthew
--
Matthew Newton, Ph.D. <m...@le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
