How can I change proxy based on username?

John Horne john.horne at plymouth.ac.uk
Tue Mar 26 17:19:45 CET 2013


On Tue, 2013-03-26 at 15:35 +0000, Phil Mayers wrote:
> On 26/03/2013 15:12, John Horne wrote:

> >> What is the upstream proxy?
> >>
> > Microsoft domain controller (DC).
> 
> As in, Microsoft NPS running on a DC?
> 
As far as I know, yes. I don't deal with the Microsoft side of this.

> 
> Just to check I understand you - you currently have an NPS instance that 
> will successfully authenticate:
> 
> jbloggs
> j.bloggs at domain
> 
> ...but fails on:
> 
> jbloggs at domain
> 
> Correct?
> 
No. At present it will authenticate 'jbloggs' and 'jbloggs at domain'. We
want to have it authenticate 'jbloggs' and 'j.bloggs at domain', but
because 'jbloggs at domain' currently works, we need to cater for it but
have to do this by stripping the realm (so it becomes just 'jbloggs').
Don't ask me 'why', I gather that the DC can recognise a userid (such as
'jbloggs') and the UPN ('j.bloggs at domain'), but it cannot recognise
three formats. So we need to change 'jbloggs at domain' to just 'jbloggs'.

Trying to change 'jbloggs at domain' to 'j.bloggs at domain' may be possible,
but we would have to start doing LDAP lookups to dig out the info.
Secondly, of course, is that we would be changing the 'User-Name' sent
to the DC, so I assume EAP would break again.

> > However, we have to cater for a mixed format of
> > 'jbloggs at plymouth.ac.uk', which is currently used by some users and
> > working. To do this we need to strip off the realm so that the DC will
> > recognise just the userid part ('jbloggs').
> 
> But as you say, this ought to cause EAP failures, so it's useless?
>
If I can't get 'jbloggs at domain' stripped of the domain, then yes it
could all be useless.




John.

-- 
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287    Fax: +44 (0)1752 587001



More information about the Freeradius-Users mailing list