A.L.M.Buxey@lboro.ac.uk wrote:
hi,
you need to remove the domain suffix but you cannot play with the User-Name attribute or the response will be wrong - use the 'stripped-user-name' attribute for the authenticate step - and ensure that if you are querying an LDAP or AD et cin that stage that DOMAIN being used is the correct domain - either overwrite the value or set it to NULL
The problem is that rlm_mschap always reads the "User-Name" attribute for generating the chal/resp i.e. when *not* using ntlm_auth. If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\" but not suffix formats. Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the username string fed into the chal/resp code, it should really be on all the time, and be extended to handle suffix formats.