Proxy.conf realms

Phil Mayers p.mayers at imperial.ac.uk
Sat Mar 16 14:21:15 CET 2013


On 03/15/2013 10:47 PM, Matthew Ceroni wrote:
> Well I found something that appears to work. I used the hints file. And
> it correctly stripped off the host/ and domain.local.
>
> However now I get the error
>
> [eap] Identity does not match User-Name, setting from EAP Identity
> [eap] Failed in handler

Modifying the "User-Name" attribute is a bad idea. It will, as you have 
seen, break EAP.

Use another attribute - maybe define your own local one (see 
raddb/dictionary and pay attention to the comments about numbering).

You were previously using Stripped-User-Name - just keep using that, and 
move the "unlang" you wrote to the top of the "authorize" section i.e.:

authorize {
   if (User-Name =~ /^h.../) {
     ...
   }
   ...
}

One other alternative is to leave the username alone, and use the xlat 
provided by the mschap module; specifically this:

%{mschap:User-Name}

...will expand this:

host/name.domain.com

...to this:

name$

Note the trailing dollar sign, which is windows-speak for "machine 
account". This is required if, for example, you use Samba/ntlm_auth, 
which requires "--username=host$" as the CLI argument.

I'm not sure what any of this has to do with the subject line, btw...


More information about the Freeradius-Users mailing list