Re: Removing domain prefix from login
Hi list, thanks for the help. Ive fix the problem changing the following parameters: /etc/freeradius/sites-enabled/inner-tunnel:authorize: ntdomain /etc/freeradius/modules/mschap:with_ntdomain_hack = yes Now everythings is OK. Thanks for all. Regards Alejandro Gándara Junior System Administrator OptareSolutions 2011/11/11 Phil Mayers p.may...@imperial.ac.uk On 11/11/11 09:52, Alejandro Gandara wrote: this is the short view: [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the Sigh. Read this line. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/11/2011 07:46 AM, Alejandro Gandara wrote: I got erros anyways. I've attached debug output The debug output didn't make it through; I guess it was too big. Use a pastebin, or put it inline in the email? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/11 Phil Mayers p.may...@imperial.ac.uk
On 11/11/2011 07:46 AM, Alejandro Gandara wrote:
I got erros anyways. I've attached debug output
The debug output didn't make it through; I guess it was too big. Use a
pastebin, or put it inline in the email?
this is the short view:
++[preprocess] returns ok
[ntdomain] Looking up realm OPTARE for User-Name = OPTARE\brouco
[ntdomain] Found realm OPTARE
[ntdomain] Adding Stripped-User-Name = brouco
[ntdomain] Adding Realm = OPTARE
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[mschap] returns noop
++[digest] returns noop
[ldap] performing user authorization for brouco
[ldap] expand: %{Stripped-User-Name} - brouco
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=brouco)
[ldap] expand: dc=optare,dc=loc - dc=optare,dc=loc
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=optare,dc=loc, with filter (uid=brouco)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] roomNumber - Pool-Name == infraestructuras
[ldap] sambaNtPassword - NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId - Tunnel-Private-Group-Id:0 = 01
[ldap] radiusTunnelMediumType - Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType - Tunnel-Type:0 = VLAN
[ldap] radiusFramedIPAddress - Framed-IP-Address = 192.45.51.9
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user brouco authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 45 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap] The users session was previously rejected: returning reject (again.)
[peap] *** This means you need to read the PREVIOUS messages in the debug
output
[peap] *** to find out the reason why the user was rejected.
[peap] *** Look for reject or fail. Those earlier messages will tell
you.
[peap] *** what went wrong, and how to fix the problem.
SSL: Removing session
1390126992ccf15f6eca58514ff74975f8661cc927bbe3a5f0e0a52b9a310e4a from the
cache
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [OPTARE\\brouco/via Auth-Type = EAP] (from client
privradius port 29 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Delaying reject of request 6 for 1 seconds
Thanks for the help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/11/11 09:52, Alejandro Gandara wrote: this is the short view: [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the Sigh. Read this line. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok al...@deployingradius.com
Alejandro Gandara wrote:
I'm authenticating users in RADIUS against LDAP, if I login from
computer with 802.1x configured and users and password taken from domain
automatic. Im getting wrong authenticated because the login has the
following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using
ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
I've tried to introduce the option prefix in /etc/sites-enable/default ,
but its getting me back errors because of wrong way to introduce that
line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025, id=112,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = SW-INT-1-3
User-Name = PRIVATE\\usertest
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = 32
Called-Station-Id = f0-62-81-05-33-40
Calling-Station-Id = f0-4d-a2-bc-77-cd
Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
EAP-Message = 0x020a0012014f50544152455c62726f75636f
Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
[ldap] performing user authorization for usertest
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - usertest
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=usertest)
[ldap] expand: dc=private,dc=loc - dc=private,dc=loc
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.20.52.206:389, authentication 0
[ldap] bind as cn=raddbuser,dc=private,dc=loc/password to
172.20.52.206:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword - NT-Password ==
0x3245334230434533423046383434414238374145393237384141453730393331
[ldap] looking for reply items in directory...
[ldap] radiusTunnelPrivateGroupId - Tunnel-Private-Group-Id:0 = 01
[ldap] radiusTunnelMediumType - Tunnel-Medium-Type:0 = IEEE-802
[ldap] radiusTunnelType - Tunnel-Type:0 = VLAN
[ldap] radiusFramedIPAddress - Framed-IP-Address = 192.45.51.9
[ldap] user brouco authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 10 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [usertest/via Auth-Type = EAP] (from client privradius
port 32 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
WARNING: Unknown value specified for Post-Auth-Type. Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default
Thanks for all Alan.
Regards,
Alejandro Gándara
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Alejandro Gandara wrote: This is my debug output: Well... you deleted a lot of the default configuration. It now doesn't work. I'm not sure why. Use the default configuration. It works. Change as little as possible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Thanks for your answer. I think I've changed the following things to try to remove DOMAIN: ./modules/preprocess: with_ntdomain_hack = yes ./modules/mschap:with_ntdomain_hack = yes ./eap.conf: with_ntdomain_hack = yes I hope this could help, If you know more information I could give. Tell me. 2011/11/10 Alan DeKok al...@deployingradius.com Alejandro Gandara wrote: This is my debug output: Well... you deleted a lot of the default configuration. It now doesn't work. I'm not sure why. Use the default configuration. It works. Change as little as possible. Il try once more, If i do not get results, I will reinstall freeradius changing only the necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Regards, Alejandro Gándara - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 10/11/11 08:15, Alejandro Gandara wrote:
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok al...@deployingradius.com
mailto:al...@deployingradius.com
Alejandro Gandara wrote:
I'm authenticating users in RADIUS against LDAP, if I login from
computer with 802.1x configured and users and password taken from
domain
automatic. Im getting wrong authenticated because the login has the
following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using
ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
I've tried to introduce the option prefix in
/etc/sites-enable/default ,
but its getting me back errors because of wrong way to introduce
that line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
id=112, length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = SW-INT-1-3
User-Name = PRIVATE\\usertest
Have you edited this debug?
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = 32
Called-Station-Id = f0-62-81-05-33-40
Calling-Station-Id = f0-4d-a2-bc-77-cd
Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
EAP-Message = 0x020a0012014f50544152455c62726f75636f
This decodes as:
\x02\n\x00\x12\x01OPTARE\\brouco
Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
This claims MSCHAP and Radius username don't match.
Did you edit the debug?
Don't do that.
Please provide a full debug, like so:
radiusd -X | tee log.txt
# run a test auth
# ctrl+c
# email log.txt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Phil Mayers p.may...@imperial.ac.uk
On 10/11/11 08:15, Alejandro Gandara wrote:
Hi Alan,
Thanks for your answers and excuse me for my english fill of mistakes.
2011/11/10 Alan DeKok al...@deployingradius.com
mailto:aland@deployingradius.**com al...@deployingradius.com
Alejandro Gandara wrote:
I'm authenticating users in RADIUS against LDAP, if I login from
computer with 802.1x configured and users and password taken from
domain
automatic. Im getting wrong authenticated because the login has the
following chain.
DOMAIN\\Users
How can i avoid that radius read the prefix?
You should be able to authenticate using just the user name, using
ntlm_auth. See the examples in raddb/modules/ntlm_auth
Im reading about it. Thanks for this information.
I've tried to introduce the option prefix in
/etc/sites-enable/default ,
but its getting me back errors because of wrong way to introduce
that line.
Yes. Don't define a realm. It won't work.
Post the debug output. That helps, too.
This is my debug output:
rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
id=112, length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = SW-INT-1-3
User-Name = PRIVATE\\usertest
Have you edited this debug?
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = 32
Called-Station-Id = f0-62-81-05-33-40
Calling-Station-Id = f0-4d-a2-bc-77-cd
Connect-Info = CONNECT Ethernet 1000Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
EAP-Message = 0x020a0012014f50544152455c6272**6f75636f
This decodes as:
\x02\n\x00\x12\x01OPTARE\\**brouco
Message-Authenticator = 0x055981a2c542df52f4c292042c89**a019
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/**default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
This claims MSCHAP and Radius username don't match.
Did you edit the debug?
Don't do that.
Ok sorry
Please provide a full debug, like so:
radiusd -X | tee log.txt
# run a test auth
# ctrl+c
# email log.txt
I've attached it
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at
20:41:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/linelog
including
Re: Removing domain prefix from login
Hi,
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
length=218
snip
User-Name = OPTARE\\brouco
snip
all okaybut then:
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
++[digest] returns noop
[ldap] performing user authorization for brouco
[ldap]expand: %{Stripped-User-Name} -
no stripped-user-name
and User-Name is brouco - but thats not what the client sent. they sent
OPTARE\\brouco -
so your reply reference something they didnt send.
have you got 'ntdomain' module enabled in your virtual servers - just after the
'preprocess'
is called?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Alan Buxey a.l.m.bu...@lboro.ac.uk
Hi,
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
length=218
snip
User-Name = OPTARE\\brouco
I know this, thats why i need try to remove this prefix. At first i
thought i could do with module/realm. But I didnt get good results.
snip
all okaybut then:
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
++[digest] returns noop
[ldap] performing user authorization for brouco
[ldap]expand: %{Stripped-User-Name} -
no stripped-user-name
I think the problem is eap is looking for User-name and i need it looks for
stripped
and User-Name is brouco - but thats not what the client sent. they sent
OPTARE\\brouco -
so your reply reference something they didnt send.
have you got 'ntdomain' module enabled in your virtual servers - just
after the 'preprocess'
is called?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Regards,
Alejandro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Ok, your debug says:
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.11
NAS-Identifier = SW-Priv-1-1
User-Name = OPTARE\\brouco
snip
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
Why is preprocess returning ok.
What are you doing in the hints module?
Are you modifying the username field? A few lines later it says:
[ldap] expand: %{User-Name} - brouco
If you're modifying the username, you can't do that. It will break EAP,
which is why it says:
[eap] Identity does not match User-Name, setting from EAP Identity.
...then fails.
I assume you want to strip DOMAIN\ so that you can do LDAP? You CANNOT
modify the User-Name field. You MUST used the Stripped-User-Name field,
and leave the User-Name field alone.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
2011/11/10 Phil Mayers p.may...@imperial.ac.uk
Ok, your debug says:
rad_recv: Access-Request packet from host 172.20.40.11 port 1025, id=21,
length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.11
NAS-Identifier = SW-Priv-1-1
User-Name = OPTARE\\brouco
snip
# Executing section authorize from file /etc/freeradius/sites-enabled/**
default
+- entering group authorize {...}
++[preprocess] returns ok
Why is preprocess returning ok.
this is preprocess
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the + works
# for IP address assignments.
with_ascend_hack = no
ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
#
# This configuration entry SHOULD NOT be used.
# See the realms module for a better way to handle
# NT domains.
with_ntdomain_hack = yes
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a /
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
with_specialix_jetstream_hack = no
# Cisco (and Quintum in Cisco mode) sends it's VSA attributes
# with the attribute name *again* in the string, like:
#
# H323-Attribute = h323-attribute=value.
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = value
#
# If you're not running a Cisco or Quintum NAS, you don't
}
What are you doing in the hints module?
Are you modifying the username field? A few lines later it says:
[ldap] expand: %{User-Name} - brouco
If you're modifying the username, you can't do that. It will break EAP,
which is why it says:
[eap] Identity does not match User-Name, setting from EAP Identity.
...then fails.
I assume you want to strip DOMAIN\ so that you can do LDAP? You CANNOT
modify the User-Name field. You MUST used the Stripped-User-Name field, and
leave the User-Name field alone.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/**
list/users.html http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 10/11/11 16:53, Alejandro Gandara wrote:
# This configuration entry SHOULD NOT be used.
# See the realms module for a better way to handle
# NT domains.
with_ntdomain_hack = yes
^^^
As per the docs. This config item should not be used, and is causing
things to break.
Set this back to no. Edit the proxy.conf file and add:
realm OPTARE {
}
Then edit raddb/sites-enabled/server and add:
authorize {
preprocess
ntdomain
rest of config
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi, As per the docs. This config item should not be used, and is causing things to break. umm, wasnt there a discussion recently in which with_ntdomain_hack = yes was going to be set by default in FR 3.x ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
On 11/10/2011 10:06 PM, Alan Buxey wrote: Hi, As per the docs. This config item should not be used, and is causing things to break. umm, wasnt there a discussion recently in which with_ntdomain_hack = yes was going to be set by default in FR 3.x ? That was the option on the mschap module. That option does not modify the packet, and only controls the string that is input into the mschap challenge/response calculation. Since the RFC says that input string should always be the username without leading DOMAIN\, it seems sensible to change that default and rename the option to something like challenge_ignore_ntdomain or something. *This* option, unfortunately named the same thing, does something different - it modifies the username in the packet to remove the DOMAIN\ which is almost never a good thing, and definitely not if you're using EAP. It should probably just be removed - people can use unlang if they really want to hack away at the username. There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does something different - it strips the DOMAIN\ when proxying the mschap to a remote server. It should probably be renamed to proxy_send_domain or something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Hi, I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? ntdomain with the 'hack' option set to yes - Stripped-User-Name is then properly created - use that variable in the LDAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing domain prefix from login
Alejandro Gandara wrote: I'm authenticating users in RADIUS against LDAP, if I login from computer with 802.1x configured and users and password taken from domain automatic. Im getting wrong authenticated because the login has the following chain. DOMAIN\\Users How can i avoid that radius read the prefix? You should be able to authenticate using just the user name, using ntlm_auth. See the examples in raddb/modules/ntlm_auth I've tried to introduce the option prefix in /etc/sites-enable/default , but its getting me back errors because of wrong way to introduce that line. Yes. Don't define a realm. It won't work. Post the debug output. That helps, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
