Some help with etc_smbpasswd auth and eap ttls
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Jan 7 10:20:19 CET 2009
Hi,
> I have configured everything and gotten free radius to authenticate off
> /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have
> run into is when I switch the securew2 windows xp eap-ttls client to use
> the current logged on user credentials. Then, SecureW2 sends the
> username in the format of DOMAIN/user (which in this case is HTN/josh).
> Authentication then fails because of this extra domain part in the user.
> Ok fine, I first enable the nt_domain_hack in the mschap module then I
> configured realm ntdomain and simply set a default realm in proxy.conf
> to strip off the domain part. Nope, that fails (output will be included
> below). I also tried nostrip but that also fails obviously. Also tried
> silently stripping the domain in pre-process in radiusd.conf. Auth is
> successful but finally rejected because the user doesnt match the
> original HTN/josh user sent.
you need to look at using the Sripped-User-Name rather than just the
User-Name (because that contains the REALM/ stuff).
alternatively, you can specify in proxy.conf to proxy anything with
REALM/ to your RADIUS server with realm stripping on - this should
send the request back to your server with just User-Name plain..
but its not clean. As Alan DeKok states, this sort of thing is very
nice in 2.x FreeRADIUS, it just works(tm)
alan
More information about the Freeradius-Users
mailing list