How do I strip netbios-style domain name from User-Name?

Laker Netman laker_netman at yahoo.com
Mon Nov 28 19:23:29 CET 2005 

My FR server is successfully receiving Access-Requests
from my wifi AP (XP supplicant) using PEAP/EAP-TLS. 
However, the received User-Name is formatted
"Domain\\User". I have read the docs regarding realms
and proxy.conf and believe the following should work:

(In radiusd.conf)
        realm MY-DOMAIN-NAME {
                format = prefix
                delimiter = "\\"
                ignore_default = yes
                ignore_null = yes
        }


(In proxy.conf)
realm DEFAULT {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

I have also tried "realm MY-DOMAIN-NAME" rather than
"DEFAULT" in proxy.conf with no difference.

"with_ntdomain_hack" is set to "no" wherever
referenced, as it is my understanding using the realms
module is the preferred method (?)

My ldap filter is: filter = "(sAMAccountName=%u)"
and running with "-X" I get the following:

rad_recv: Access-Request packet from host
192.168.12.231:2057, id=0, length=156
        User-Name = "MY-DOMAIN-NAME\\username"
        NAS-IP-Address = 192.168.12.231
        Called-Station-Id = "000d0b6b9250"
        Calling-Station-Id = "000e356529b4"
        NAS-Identifier = "000d0b6b9250"
        NAS-Port = 56
        Framed-MTU = 1400
        State = 0x9eafe6f8023c0c59423b42f6c92b96f4
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020300061900
        Message-Authenticator =
0xc8ce70994f2aba8a00f4ba8561979c20

... then ...

rlm_ldap: - authorize
rlm_ldap: performing user authorization for
MY-DOMAIN-NAME\\username
radius_xlat:  '(sAMAccountName=MY-DOMAIN-NAME)'
radius_xlat:  'CN=Users,DC=mydomain,DC=branch,DC=corp'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=Users,DC=mydomain,DC=branch,DC=corp, with filter
(sAMAccountName=MY-DOMAIN-NAME)
rlm_ldap: object not found or got ambiguous search
result
rlm_ldap: search failed

Authenticating via (hard-wired) telnet works as
expected and %u contains the username without any
domain prefix, of course.

A suggestion as to what I may have missed would be
appreciated.

TIA,
 Laker



	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list