<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><title></title><head><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /><style type="text/css">html { margin:0px; padding:0px; } body { width:100%; height:100%;background-color:transparent; overflow:show; background-image:none; margin:0px; padding:5px; }p { margin:0px; padding:0px; } body { font-size:12px;font-family:Verdana; } p { margin:0px;padding:0px; } blockquote { border-left:1px solid #CCC;padding-left:5px;margin-left:5px;}</style></head><body id="bodyElement" style="">
<FONT size=2><BR>
<BLOCKQUOTE style="FONT-SIZE: 12px" type="cite" face="Verdana">
<P>----- Original Message -----<BR>From: A.L.M.Buxey@lboro.ac.uk<BR>Sent: 11:10 am<BR>To: FreeRadius users mailing list<BR>Subject: Re: stripping domain from username (for wifi authentication on Windows XP)<BR><BR>Hi,<BR>> Hello everyone,<BR>> <BR>> <BR>> <BR>> I am using freeradius to have my wifi network use my LDAP credentials for <BR>> authentication. However, Windows has this glorious default setting that <BR>> automatically passes the domain username and password to the radius server <BR>> to authenticate for wifi access. While I can easily uncheck a box to make <BR>> that behavior not happen, it would be great if I could just have radius <BR>> accept those credentials. The windows domain and radius both use the same <BR>> LDAP directory. The only issue is Windows sends the username as <BR>> DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ <BR>> part of the username?<BR><BR>yes, check the configuration files for the prefix part. <BR>are you using 1.1.x or 2.0.x? if 1.1.x you can<BR>also you the rewrite module to copy User-Name to Stripped-User-Name<BR>and then blow away the DOMAIN\\ part - or any preceeding STUFF\\<BR>if you use 2.0.x then use unlang to do the same job efficiently<BR>when and where you need it.<BR><BR>alan<BR>-</P>
<P> </P>
<P> </P>
<P> </P>
<P>Alan,<BR></P><FONT size=2>
<P><FONT size=2>Thanks for the response. I'm using 1.1.x. Currently, I have ldap filter definined as:</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2>I have enabled with_ntdomain_hack on preprocess.</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2>However, since doing that, I am receiving the following error:</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2>Tue May 13 11:34:39 2008 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity.</FONT></P>
<P><FONT size=2>Tue May 13 11:34:39 2008 : Auth: Login incorrect: [rpugatch] (from client aruba port 3 cli 001F3A4CE09E)</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2>This worked before enabling with_ntdomain_hack. It seems like the username is now being stripped properly, but it isn't matching something properly. Unfortunately, I don't seem to understand exactly what is going wrong.</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2>Ryan</FONT></P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2></FONT> </P>
<P><FONT size=2> </P>
<BLOCKQUOTE style="FONT-SIZE: 12px" type="cite" face="Verdana"></BLOCKQUOTE></FONT></FONT></BLOCKQUOTE></FONT></body></html>