Hi, On 11-05-30 9:55 AM, Phil Mayers wrote:
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username.
True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants. I completely agree with you on this.
Is there a way we could work around this hard-coded check since in our case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and comment it out.
What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject
I will try to investigate this tomorrow when I get back to the office.
Aight. Keep us posted. -- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)