----- Original Message ----- From: A.L.M.Buxey@lboro.ac.uk Sent: 11:10 am To: FreeRadius users mailing list Subject: Re: stripping domain from username (for wifi authentication on Windows XP)
Hi,
Hello everyone,
I am using freeradius to have my wifi network use my LDAP credentials for authentication. However, Windows has this glorious default setting that automatically passes the domain username and password to the radius server to authenticate for wifi access. While I can easily uncheck a box to make that behavior not happen, it would be great if I could just have radius accept those credentials. The windows domain and radius both use the same LDAP directory. The only issue is Windows sends the username as DOMAIN\\username. Is it possible to have freeradius ignore the DOMAIN\\ part of the username?
yes, check the configuration files for the prefix part. are you using 1.1.x or 2.0.x? if 1.1.x you can also you the rewrite module to copy User-Name to Stripped-User-Name and then blow away the DOMAIN\\ part - or any preceeding STUFF\\ if you use 2.0.x then use unlang to do the same job efficiently when and where you need it.
alan -
Alan,
Thanks for the response. I'm using 1.1.x. Currently, I have ldap filter definined as:
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
I have enabled with_ntdomain_hack on preprocess.
However, since doing that, I am receiving the following error:
Tue May 13 11:34:39 2008 : Error: rlm_eap: Identity does not match User-Name, setting from EAP Identity.
Tue May 13 11:34:39 2008 : Auth: Login incorrect: [rpugatch] (from client aruba port 3 cli 001F3A4CE09E)
This worked before enabling with_ntdomain_hack. It seems like the username is now being stripped properly, but it isn't matching something properly. Unfortunately, I don't seem to understand exactly what is going wrong.
Ryan