On 10/06/11 15:32, joanroldan wrote:
Hi everybody,
I have take a look to this post:
http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td278514...
The issue mentioned in that post was fixed in 2.1.10. Are you running 2.1.10?
And I totally agree with the behaviours described in the table.
Do you? That table does NOT contain: user@domain ...format credentials.
I have been experiencing the same. If I type the credentials on prompt of Windows supplicant like
MYDOMAIN.COM\user password
The request is accepted:
Fri Jun 10 15:58:51 2011 : Info: ++[eap] returns ok Fri Jun 10 15:58:51 2011 : Auth: Login OK: [IRTA_NT\\jroldan/<via Auth-Type = EAP>] (from client WLC_SSCC port 1 cli 00-26-B6-59-F1-EA)
But if I type
user@mydomain.com password
I get the next info:
This is not useful. Please show a full debug, from running "radiusd -X | tee log".
As the configuration of freeradius is for eduroam purpose it would be nice that user enter the credentials like user@domain.com, and in function of the domain the request would be proxied or not.
Is is possible to use this format in spite of NT-domain?
Yes, you just need to configure it appropriately. I suspect your problems is that your "ntlm_auth" line is expanding to: ntlm_auth --username=user@domain ... ...which won't work. %{mschap:User-Name} only handles DOMAIN\user host/name.domain.com plainuser ...it does NOT handle: user@domain ...but it maybe (probably?) should. Since a virtual server which is handling eduroam should *ALWAYS* see user@domain, you can write something like this in "inner-tunnel": authorize { if (User-Name =~ /^([^@]*)@(.+)$/) { update request { Stripped-User-Name := "%{1}" Realm := "%{toupper:%{2}}" } } else { reject } # FIXME: you should check the Realm here is one of yours # ...other modules } ...and then in modules/mschap, the "ntlm_auth" config: --username=%{Stripped-User-Name:-%{mschap:User-Name}} ...which will expand as follows: user@domain -> --username=user DOMAIN\user -> --username=user user -> --username=user