Working around broken EAP client
Gordon Ross
gr306 at ucs.cam.ac.uk
Tue Jun 11 11:39:01 CEST 2013
I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04
I'm wanting to use Freeradius to authenticate 802.1x clients. However, one client I need to authenticate I believe is "broken", in that it's stripping the suffix on the inner identity.
>From running freeradius -X I see:
[mschap] ERROR: User-Name (68983 at phone.cam.ac.uk) is not the same as MS-CHAP Name (68983) from EAP-MSCHAPv2
Putting the same credentials into an iPhone allows the iPhone to sign onto the network without problems. So I feel it's the client that's broken, and not my freeradius setup.
I've seen some warnings that fixing the identity mis-match is a Bad Idea, but I need to get this client to work.
I found a page[1] that has a similar problem, but for Windows domain prefixes being stripped. It suggests that adding:
if ( User-Name =~ /^machine.*/ ) {
update request {
MS-CHAP-User-Name = "%{request:User-Name}"
}
}
to the inner configuration will fix it.
Is it possible to do something similar to add the suffix if it's missing ?
Thanks,
GTG
--
Gordon Ross
[1] http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1&cHash=557619254a0e733446140dcefbced985
More information about the Freeradius-Users
mailing list