Thank you Phil. I didn't have time to test it yet. <br><br>I had to install a previous release so I modified the cb.c function. I know what I've done is awful but it was a extreme solution. I'll test yours next week and reinstall the server as soon as posible.
<br><br>Thanks again<br><br><div><span class="gmail_quote">2006/6/7, Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
wekz wrote:<br>> And if they are, what efect has with_ntdomain_hack=yes. Does it affect<br>> to all??<br>><br>> Well, Hi you all I hope haven't been too direct ;)<br>><br>> I'll getting more troubles as I do more complex configurations.
<br>><br>> I ask this because first I had to authenticate users by machine<br>> authentication. The users in this case sends User-Name like<br>> host/username and the only way I found for working this out was to use
<br>> ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack.<br>> The other options stripes the User-Name but then packets doesn't match<br>> EAP-Identity ( at least one of them ), that is why I used ntdomain, for
<br><br>Yes, this is a pain. The correct thing to do is below<br><br>> being able to use with_ntdomain_hack.<br><br>FreeRadius 1.1.0 has code to do this for you - it will take names of the<br>form "host/blah" and turn them into "blah$" *IF* you are using the
<br>"%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone,<br>meaning EAP carries on working.<br><br>><br>> Now I've got pda-users that sends domain\username and if I don't use<br>> ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple
<br>> ntdomains are allowed and how.<br><br>Again, this is annoying.<br><br>The best way I've found is to have this:<br><br>proxy.conf (contains only "real" domains)<br><br>realm THEDOMAINNAME {<br> type = radius
<br> authhost = LOCAL<br> accthost = LOCAL<br> # see [1] for strip<br> strip<br>}<br><br>realm DEFAULT {<br> type = radius<br> authhost = LOCAL<br> accthost = LOCAL<br> # see [1] for strip<br> strip<br>}
<br><br>realm NULL {<br> type = radius<br> authhost = LOCAL<br> accthost = LOCAL<br> # see [1] for strip<br> strip<br>}<br><br>radiusd.conf (portions omitted):<br><br>modules {<br> mschap {<br> authtype = MS-CHAP
<br> with_ntdomain_hack = yes<br> # this all goes on one line<br> # see [2] for mschap:User-Name<br> ntlm_auth = "/path/ntlm_auth --request-nt-key \<br> --username=%{mschap:User-Name} \<br> --challenge=%{mschap:Challenge:-00} \
<br> --nt-response=%{mschap:NT-Response:-00}"<br> }<br><br> realm ntdomain {<br> format = prefix<br> delimiter = "\\"<br> ignore_default = no<br> ignore_null = no<br> }<br>}<br><br>
authorize {<br> preprocess<br> ntdomain<br> eap<br> mschap<br>}<br><br>The various bits ensure:<br><br> 1. "strip" in the realms means there is always a realm-free<br>"%{Stripped-User-Name}" variable, useful for
e.g. LDAP/file/SQL searches.<br><br> 2. The "with_ntdomain_hack" create an mschap:User-Name variable which<br>will always have the domain stripped correctly - "dom\user" goes to<br>"user", and "host/machine" goes to "machine$"
<br><br>><br>> Any method or idea will be welcome.<br>><br>> Thanks<br>><br>><br>> ------------------------------------------------------------------------<br>><br>> -<br>> List info/subscribe/unsubscribe? See
<a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html
</a><br></blockquote></div><br>