Trying to strip the Windows Domain name from a login
Alan DeKok
aland at deployingradius.com
Sat Jan 22 08:56:16 CET 2011
Brett Littrell wrote:
> I am trying to strip the domain name from a userid in the most
> efficient way possible, I am using version 2.1.1.
See the "realms" module, and the "realm" definition in raddb/proxy.conf.
> I am using MSChapV2
Then stripping the realm isn't a good idea. The User-Name is used as
part of the MS-CHAPv2 calculations, so changing it will make the
authentication fail.
> I then found another reference to strip the domain from the LDAP
> module as shown below:
> filter = "(cn=%{mschap:User-Name:-%{User-Name}}
This is wrong. You're not closing the opening bracket:
filter = "(cn=%{mschap:User-Name:-%{User-Name}})"
> and it seems to pass the correct username to
> the LDAP server it looks like there is some other place I need to strip
> the domain besides the ldap lookup, that or the replies are using the
> stripped name and it is failing that way as well. Either way it still
> is not working. If I un-comment the stripped-user-name and use a
> supplicant that strips the domain prior to sending it, it does work so
> Radius is working, just now with standard windows supplicant on XP.
If you're using EAP, you *really* don't want to strip the User-Name.
It will make EAP fail.
> An yes I am pretty new to freeradius.
What you want is to change the *ldap* lookup so that it uses only the
name portion of the User-Name. *Don't* edit the User-Name.
And move the LDAP lookup to the "inner-tunnel" configuration. That's
what it's for. Don't do LDAP lookups in raddb/sites-available/default
Alan DeKok.
More information about the Freeradius-Users
mailing list