Credentials format in Windows suplicant

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 10 17:17:27 CEST 2011 

On 10/06/11 15:32, joanroldan wrote:
> Hi everybody,
>
> I have take a look to this post:
>
> http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html

The issue mentioned in that post was fixed in 2.1.10.

Are you running 2.1.10?

>
> And I totally agree with the behaviours described in the table.

Do you? That table does NOT contain:

user at domain

...format credentials.

>
> I have been experiencing the same.  If I type the credentials on prompt of
> Windows supplicant like
>
> MYDOMAIN.COM\user
> password
>
> The request is accepted:
>
> Fri Jun 10 15:58:51 2011 : Info: ++[eap] returns ok
> Fri Jun 10 15:58:51 2011 : Auth: Login OK: [IRTA_NT\\jroldan/<via Auth-Type
> = EAP>] (from client WLC_SSCC port 1 cli 00-26-B6-59-F1-EA)
>
> But if I type
>
> user at mydomain.com
> password
>
> I get the next info:

This is not useful. Please show a full debug, from running "radiusd -X | 
tee log".

> As the configuration of freeradius is for eduroam purpose it would be nice
> that user enter the credentials like user at domain.com, and in function of the
> domain the request would be proxied or not.
>
> Is is possible to use this format in spite of NT-domain?

Yes, you just need to configure it appropriately. I suspect your 
problems is that your "ntlm_auth" line is expanding to:

  ntlm_auth --username=user at domain ...

...which won't work. %{mschap:User-Name} only handles

DOMAIN\user
host/name.domain.com
plainuser

...it does NOT handle:

user at domain

...but it maybe (probably?) should.


Since a virtual server which is handling eduroam should *ALWAYS* see 
user at domain, you can write something like this in "inner-tunnel":

authorize {

   if (User-Name =~ /^([^@]*)@(.+)$/) {
     update request {
       Stripped-User-Name := "%{1}"
       Realm := "%{toupper:%{2}}"
     }
   }
   else {
     reject
   }

   # FIXME: you should check the Realm here is one of yours

   # ...other modules
}

...and then in modules/mschap, the "ntlm_auth" config:

   --username=%{Stripped-User-Name:-%{mschap:User-Name}}

...which will expand as follows:

user at domain -> --username=user
DOMAIN\user -> --username=user
user        -> --username=user

More information about the Freeradius-Users mailing list