On 30/08/2023 12:11, Nick Porter wrote:
A Matthew said, EAP-TLS is likely a better option, however, if you have to use MSCHAPv2, I have done this by using the winbind authentication method instead of ntlml_auth.
Good catch. We set the WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT and WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT flags so these auths are allowed. (To be fair it's been over 7 years since I wrote that... so some excuse for forgetting it!) I just tried ntlm_auth and it doesn't seem to like using a computer account, but someone would need to look at the code to see if those flags are set to confirm for certain.
In mods_enabled/mschap:
- comment out ntlm_auth = ....
- uncomment winbind_username = "%{mschap:User-Name}"
Yes, the %{mschap:User-Name} xlat code specifically looks for host/ and fixes things up with the $ suffix as required. But... use TLS :) -- Matthew