MSCHAP Machine/User Authentication with Windows
Tynan Young
tynany at gmail.com
Tue May 12 01:28:41 CEST 2015
On Mon, May 11, 2015 at 7:48 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Mon, May 11, 2015 at 05:18:06PM +1000, Tynan Young wrote:
>> I have a near default freeradius3 setup using NTLM to authenticate our
>> PEAP MSCHAP wireless clients. Non-windows machines work fine (mac,
>> phones etc), but I'm having difficulty getting Windows 7/8
>> authenticated using machine authentication or user authentication.
>
> ...
>
>> Received Access-Request Id 221 from 172.17.6.253:32985 to
>> 192.168.254.181:1812 length 218
>> User-Name = 'TESTDOMAIN\\testuser'
>> NAS-IP-Address = 172.17.6.253
> ...
>> (10) authorize {
>> (10) filter_username filter_username {
>> (10) if (User-Name != "%{tolower:%{User-Name}}")
>> (10) EXPAND %{tolower:%{User-Name}}
>> (10) --> testdomain\\testuser
>> (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE
>> (10) if (User-Name != "%{tolower:%{User-Name}}") {
>> (10) [reject] = reject
>> (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject
>> (10) } # filter_username filter_username = reject
>> (10) } # authorize = reject
>> (10) Invalid user: [TESTDOMAIN\\testuser] (from client
>> ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
>
> This.
>
> Look at raddb/policy.d/filter, and ensure the unlang in
> "filter_username" that is to reject mixed-case usernames is
> commented out.
>
> Or upgrade to v3.0.8, where this issue is fixed.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Great thanks for that. Commenting out the mixed case reject component
fixed the issue for user authentication.
More information about the Freeradius-Users
mailing list