Error: User-Name is not the same as MS-CHAP name
Phil Mayers
p.mayers at imperial.ac.uk
Mon May 30 15:55:03 CEST 2011
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
>>
>>There's no guarantee that STAFF\john and STUDENT\john at the same
>>person; you can't just ignore the fact that the client has changed
>>their username.
>>
>True. But I don't think it is possible to send a different Username in
>EAP-Identity and MSChap Username in the same EAP session since the
>second is derived from the first. I have seen such setup where you have
>two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants.
>
>Is there a way we could work around this hard-coded check since in our
>case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and
comment it out.
What I really want to understand is, whether the check is too strict and
FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will
try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username:
ok
elif not mschap.domain:
if eap.stripped-user-name == mschap.username:
ok
reject
else:
reject
I will try to investigate this tomorrow when I get back to the office.
More information about the Freeradius-Users
mailing list