Proxy.conf realms

Matthew Ceroni matthewceroni at gmail.com
Sat Mar 16 17:24:36 CET 2013


Thanks. I will try this.

The subject line was because I was trying to match it to a realm and
thought by doing it that way I could get it to strip off what I needed.

On Saturday, March 16, 2013, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 03/15/2013 10:47 PM, Matthew Ceroni wrote:
>>
>> Well I found something that appears to work. I used the hints file. And
>> it correctly stripped off the host/ and domain.local.
>>
>> However now I get the error
>>
>> [eap] Identity does not match User-Name, setting from EAP Identity
>> [eap] Failed in handler
>
> Modifying the "User-Name" attribute is a bad idea. It will, as you have
seen, break EAP.
>
> Use another attribute - maybe define your own local one (see
raddb/dictionary and pay attention to the comments about numbering).
>
> You were previously using Stripped-User-Name - just keep using that, and
move the "unlang" you wrote to the top of the "authorize" section i.e.:
>
> authorize {
>   if (User-Name =~ /^h.../) {
>     ...
>   }
>   ...
> }
>
> One other alternative is to leave the username alone, and use the xlat
provided by the mschap module; specifically this:
>
> %{mschap:User-Name}
>
> ...will expand this:
>
> host/name.domain.com
>
> ...to this:
>
> name$
>
> Note the trailing dollar sign, which is windows-speak for "machine
account". This is required if, for example, you use Samba/ntlm_auth, which
requires "--username=host$" as the CLI argument.
>
> I'm not sure what any of this has to do with the subject line, btw...
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130316/cec1a3c6/attachment.html>


More information about the Freeradius-Users mailing list