AW: EAP identity - username check

Krämer Armin Kraemer.Armin at web.de
Wed Aug 9 17:43:29 CEST 2006


I had the same problem here and my only solution was to turn off this check
of the username. 

 

of the username. 

 

Ou only have to comment out the check_cert_cn  Entry at the eap.conf to
deaktivate this. Butt his turn of the check completely also for user
certificates. I changed the username from „host/username“ to „username$“
which is mostly needed using the mschap Modul aktivating
„with_ntdomain_hack“ and adding „mschap: “ to the needed authentication part
like ldap section or mysql section like 

(mschap:User-Name)

 

 

Maybe there is an other solution to fix that problem without deaktivate this
feature?

 

Armin

  _____  

Von: freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org
[mailto:freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org]
Im Auftrag von Carl Wahlin
Gesendet: Mittwoch, 9. August 2006 17:09
An: freeradius-users at lists.freeradius.org
Betreff: EAP identity - username check

 

Hello,

We are trying to get machine certificates to with freeradius for WLAN.

Problem:
We are using the sql user database plugin as we need to return attributes
(which vlan the user belongs to, QoS etc) and it all works fine untill we
install the certificates as machine certs. Windows changes the User-Name to
host/username and that causes the username not to be correct according to
what is in the database, and also the User-Name does not match the cn in the
cert. We can change the attribute with search and replace, but then EAP
gives us the error "identity does not match the User-Name, setting from EAP
Identity". 

Is there a way around this? It would be nice to be able to turn off the EAP
identity - User-Name check as we really do not think it is necesary in our
solution (and do not really see a security benifit of having it).

Any ideas?

/Carl




  _____  

With MSN Spaces email straight to your blog. Upload jokes, photos and more.
It's free! It's free!
<http://clk.atdmt.com/MSN/go/msnnksac0030000001msn/direct/01/?href=http://ww
w.imagine-msn.com/spaces> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060809/f7a13a55/attachment.html>


More information about the Freeradius-Users mailing list