On Mon, May 11, 2015 at 7:48 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Mon, May 11, 2015 at 05:18:06PM +1000, Tynan Young wrote:
I have a near default freeradius3 setup using NTLM to authenticate our PEAP MSCHAP wireless clients. Non-windows machines work fine (mac, phones etc), but I'm having difficulty getting Windows 7/8 authenticated using machine authentication or user authentication.
...
Received Access-Request Id 221 from 172.17.6.253:32985 to 192.168.254.181:1812 length 218 User-Name = 'TESTDOMAIN\\testuser' NAS-IP-Address = 172.17.6.253 ... (10) authorize { (10) filter_username filter_username { (10) if (User-Name != "%{tolower:%{User-Name}}") (10) EXPAND %{tolower:%{User-Name}} (10) --> testdomain\\testuser (10) if (User-Name != "%{tolower:%{User-Name}}") -> TRUE (10) if (User-Name != "%{tolower:%{User-Name}}") { (10) [reject] = reject (10) } # if (User-Name != "%{tolower:%{User-Name}}") = reject (10) } # filter_username filter_username = reject (10) } # authorize = reject (10) Invalid user: [TESTDOMAIN\\testuser] (from client ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)
This.
Look at raddb/policy.d/filter, and ensure the unlang in "filter_username" that is to reject mixed-case usernames is commented out.
Or upgrade to v3.0.8, where this issue is fixed.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Great thanks for that. Commenting out the mixed case reject component fixed the issue for user authentication.