Hello, We have a Samba domain controller (3.0.9) with freeradius on it and several windows XP SP2 workstations attached to it. Actually, this wired setup is working correctly. We are planning to use wifi on those workstations but we encounters many problems. Here our wifi setup: Our APs are cisco 12xx, WPA/PEAP/MSCHAPV2 + 802.1x to the Samba/freeradius servers. Samba is configured to use LDAP as a backend to store its accounts (computers/users/groups). On the XP workstations, we use its own supplicant. Freeradius version 1.1.7 is configured to authorize computers and users from ldap and the authentication is made in mschapv2 through eap. The user authentication is working but not the computer and we must have this to work so that if the computer is switched on and nobody logged in, it can even have access to the network (for applying nightly updates for examples). The problem is when a computer tries to authenticate, the User-Name sent is "host//computername/", but in ldap we have entrie like /computername/$. So we have some attr_rewrite that removes host/ and adds the dollar sign. rlm_ldap finds correctly the entry, but EAP complains about the user name change: "*rlm_eap: Identity does not match User-Name, setting from EAP Identity.** rlm_eap: Failed in handler" *Is there an existing solution to our problem ?* * Thanks in advance for any response. PS: a join the log where you can see what happends, the radiusd.conf and an example computer account (in ldif format) Ce message et toutes les pièces jointes sont établis à l'attention exclusive de leurs destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le détruire et d'en avertir immédiatement l'expéditeur. L'internet ne permettant pas d'assurer l'intégrité de ce message, le contenu de ce message ne représente en aucun cas un engagement de la part de Adeo Services. prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 60 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8192 bind_address = * port = 1812 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes usercollide = no lower_user = before lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/ap.pem certificate_file = ${raddbdir}/certs/ap.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { } ldap { server = "localhost" identity = "cn=Manager,dc=mag125,dc=fr,dc=corp,dc=mycompany,dc=com" password = password basedn = "dc=mag125,dc=fr,dc=corp,dc=mycompany,dc=com" filter = "(uid=%{Stripped-User-Name})" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } attr_rewrite strip-realm-name { attribute = Stripped-User-Name new_attribute = no searchin = packet searchfor = "^(.*[\\/]+)" replacewith = "" max_matches = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } detail pre_proxy_log { detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } exec echo { wait = yes program = "/bin/echo Username:%{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { expr } authorize { copy.user-name add-dollar-sign auth_log suffix ntdomain ldap eap } authenticate { copy.user-name add-dollar-sign Auth-Type LDAP { ldap } Auth-Type MS-CHAP { mschap } eap } preacct { preprocess acct_unique suffix ntdomain } accounting { detail radutmp } session { radutmp } post-auth { reply_log } pre-proxy { pre_proxy_log } post-proxy { eap }