Hi Phil, Still no go. Now EAP complains : pap] Config already contains "known good" password. Ignoring Password-With-Header [pap] Normalizing NT-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (User-Name =~ /^host\/([^.]+)/) ? Evaluating (User-Name =~ /^host\/([^.]+)/) -> TRUE ++? if (User-Name =~ /^host\/([^.]+)/) -> TRUE ++- entering if (User-Name =~ /^host\/([^.]+)/) {...} expand: %{1}$ -> dti-dahport$ +++[request] returns noop ++- if (User-Name =~ /^host\/([^.]+)/) returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. I tried to put the blob before eap in authorize or after, but the result is the same. It breaks when entering the authenticate section. On 12-02-10 4:52 AM, Phil Mayers wrote:
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Found NT-Password [mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP Name (dti-dahport$) from EAP-MSCHAPv2
Ah, of course.
I think you're going to need to rewrite the User-Name attribute instead; that check is there to prevent clients sending a User-Name that differed from the MS-CHAP value, and circumventing authorization checks.
I will try to come up with a patch that does all this properly later today, but this should work:
authorize { ... if (User-Name =~ /^host\/([^.]+)/) { update request { User-Name := "%{1}$" } } ... }
Note to the archives: This is NOT GENERAL ADVICE. This advice is specific to the issue Francois is facing (performing machine auth with access to the NT-Password, as opposed to via Active Directory) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Francois Gaudreault, ing. jr fgaudreault@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)