PEAP problem when using domain suffix

Graham Marsh graham at netmarsh.com
Sun Jun 8 17:33:11 CEST 2008


----- Original Message ----- 
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Friday, June 06, 2008 8:17 PM
Subject: Re: PEAP problem when using domain suffix


> Phil Mayers wrote:
>> A.L.M.Buxey at lboro.ac.uk wrote:
>>> hi,
>>>
>>> you need to remove the domain suffix but you cannot
>>> play with the User-Name attribute or the response will
>>> be wrong - use the 'stripped-user-name' attribute
>>> for the authenticate step - and ensure that if you
>>> are querying an LDAP or AD et cin that stage that DOMAIN
>>> being used is the correct domain - either overwrite
>>> the value or set it to NULL
>>
>> The problem is that rlm_mschap always reads the "User-Name" attribute for 
>> generating the chal/resp i.e. when *not* using ntlm_auth.
>>
>> If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\" 
>> but not suffix formats.
>>
>> Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the 
>> username string fed into the chal/resp code, it should really be on all 
>> the time, and be extended to handle suffix formats.
>
> I've written a small patch for 2.0.4 which fixes this:
>
> http://bugs.freeradius.org/show_bug.cgi?id=562
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

That's amazing; thanks for the quick update; would you be so kind as to 
provide a very quick HowTo in order to get this implemented...my guess is 
something like this:

- download the source of 2.0.4
- merge the patch (but I'm a bit vague on this point - unless you've merged 
it already)
- compile it (also a bit vague on updating an existing implementation and 
doing make install or whatever)
- test

cheers
gm 




More information about the Freeradius-Users mailing list