FreeRadius MSCHAP Authenticatiom With Realm Fails
Phil Mayers
p.mayers at imperial.ac.uk
Fri Mar 14 12:54:45 CET 2014
On 14/03/14 11:24, T I wrote:
> Hi
> I have FreeRadius 2.0 server with AD as user store. Authenticating using
> EAP-PEAP-MSCHAP2.Local realm is defined in proxy.conf. Authentications
> works fine without realm added to the username. As soon as I
> authenticate using username with realm, i.e. username at realm.com,
> authentication fails. The reason for failure is clear, it fails because
> radius server mschap module creates challenge hash with username which
> includes realm.
> I need the radius mschap module to create hash from stripped username,
> i.e. which doesn't include the realm. Any ideas?
You need to strip the realm in the inner-tunnel virtual server. Either
run the "suffix" module there:
server inner-tunnel {
authorize {
...
suffix
...
}
}
...or strip it with unlang:
server inner-tunnel {
authorize {
...
if (User-Name =~ /^(.*)@(.+)$/) {
update request {
Stripped-User-Name := "%{1}"
}
}
...
}
}
Both methods have different advantages; see the list archives for
discussion of manual stripping versus using the "realm" module.
More information about the Freeradius-Users
mailing list