On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Found NT-Password [mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP Name (dti-dahport$) from EAP-MSCHAPv2
Ah, of course. I think you're going to need to rewrite the User-Name attribute instead; that check is there to prevent clients sending a User-Name that differed from the MS-CHAP value, and circumventing authorization checks. I will try to come up with a patch that does all this properly later today, but this should work: authorize { ... if (User-Name =~ /^host\/([^.]+)/) { update request { User-Name := "%{1}$" } } ... } Note to the archives: This is NOT GENERAL ADVICE. This advice is specific to the issue Francois is facing (performing machine auth with access to the NT-Password, as opposed to via Active Directory)