On 27/10/11 08:15, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
Change the source code so that the default is "yes".
Delete the configuration from raddb/modules/mschap
People can still change it, but the default should work better.
That will work. I'm a little cautious about the naming - "hack" implies it is somehow a bad thing to do, and I would prefer to see it named "strip_ntdomain" - but small changes are better than big I guess. Interestingly (to me) I just pulled the .gz files for the -users mailing list archives for 2010 and 2011. In the whole archive, only twice does the error "should we have enabled with_ntdomain_hack?" appear; likewise only 4 times does an MSCHAP auth occur with "DOMAIN\user" as opposed to 288 for just "user". This implies to me very few people are ticking the "Use my windows credentials..." option under the PEAP/MSCHAP settings.