On Friday 25 March 2011 11:15:58 you wrote:
Use %{mschap:User-Name} everywhere; this will give the bare username That sounds consequent but what exactly do you mean by "everywhere"? I use the policy.conf (as you can see by the debug output from my previous posting) to define some policies that are later on used within the 'authorize {...}' groups of sites-available/default and sites-available/inner-tunnel. I don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group information from my LDAP-server. The only place where I consciously reference any User-Name attribute is the modules/ldap and there I already do as you suggest (see attachment).
Where else do I need to explicitly specify '%{mschap:User-Name}' to have rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have rlm_mschap ignore the domain component of the user name)? My modules/mschap config file is pretty lucid at present: mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } And what about the realms approach? Can I save the trouble?
(and also correctly translate host/name.domain.com, if you later do machine auth)
Thanks!