Brett Littrell wrote:
I am trying to strip the domain name from a userid in the most efficient way possible, I am using version 2.1.1.
See the "realms" module, and the "realm" definition in raddb/proxy.conf.
I am using MSChapV2
Then stripping the realm isn't a good idea. The User-Name is used as part of the MS-CHAPv2 calculations, so changing it will make the authentication fail.
I then found another reference to strip the domain from the LDAP module as shown below: filter = "(cn=%{mschap:User-Name:-%{User-Name}}
This is wrong. You're not closing the opening bracket: filter = "(cn=%{mschap:User-Name:-%{User-Name}})"
and it seems to pass the correct username to the LDAP server it looks like there is some other place I need to strip the domain besides the ldap lookup, that or the replies are using the stripped name and it is failing that way as well. Either way it still is not working. If I un-comment the stripped-user-name and use a supplicant that strips the domain prior to sending it, it does work so Radius is working, just now with standard windows supplicant on XP.
If you're using EAP, you *really* don't want to strip the User-Name. It will make EAP fail.
An yes I am pretty new to freeradius.
What you want is to change the *ldap* lookup so that it uses only the name portion of the User-Name. *Don't* edit the User-Name. And move the LDAP lookup to the "inner-tunnel" configuration. That's what it's for. Don't do LDAP lookups in raddb/sites-available/default Alan DeKok.