Remove with_ntdomain_hack in rlm_mschap?
Does this config option make any sense? Shouldn't it always be on? The only thing it controls is the username to feed into the MS-CHAP challenge generation, and AFAICT from RFC 2759, we should *always* ignore DOM\ for that. Certainly windows does. I found this out today - if you have "with_ntdomain_hack = no", ticking the "Use my windows credentials" box for wired/wireless 802.1x login doesn't work with a default FR config. Perhaps we should remove it for 3.x?
Phil Mayers wrote:
Does this config option make any sense? Shouldn't it always be on?
I really have no idea....
The only thing it controls is the username to feed into the MS-CHAP challenge generation, and AFAICT from RFC 2759, we should *always* ignore DOM\ for that. Certainly windows does.
If Windows does it...
I found this out today - if you have "with_ntdomain_hack = no", ticking the "Use my windows credentials" box for wired/wireless 802.1x login doesn't work with a default FR config.
Perhaps we should remove it for 3.x?
I'm OK with that. Alan DeKok.
On 27 Oct 2011, at 08:02, Alan DeKok wrote:
Phil Mayers wrote:
Does this config option make any sense? Shouldn't it always be on?
I really have no idea....
Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default? -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
Arran Cudbard-Bell wrote:
Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
Change the source code so that the default is "yes". Delete the configuration from raddb/modules/mschap People can still change it, but the default should work better. Alan DeKok.
On 27/10/11 08:15, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
Change the source code so that the default is "yes".
Delete the configuration from raddb/modules/mschap
People can still change it, but the default should work better.
That will work. I'm a little cautious about the naming - "hack" implies it is somehow a bad thing to do, and I would prefer to see it named "strip_ntdomain" - but small changes are better than big I guess. Interestingly (to me) I just pulled the .gz files for the -users mailing list archives for 2010 and 2011. In the whole archive, only twice does the error "should we have enabled with_ntdomain_hack?" appear; likewise only 4 times does an MSCHAP auth occur with "DOMAIN\user" as opposed to 288 for just "user". This implies to me very few people are ticking the "Use my windows credentials..." option under the PEAP/MSCHAP settings.
On 27 Oct 2011, at 14:21, Phil Mayers wrote:
On 27/10/11 08:15, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
Change the source code so that the default is "yes".
Delete the configuration from raddb/modules/mschap
People can still change it, but the default should work better.
That will work.
I'm a little cautious about the naming - "hack" implies it is somehow a bad thing to do, and I would prefer to see it named "strip_ntdomain" - but small changes are better than big I guess.
how about ''fix_microsoft_retardation'' :) - But yes, +1 for renaming to strip_ntdomain. I couldn't even get Windows 2000 SP4 to authenticate without it enabled (supplicant testing a while back). -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Phil Mayers