On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
expand: --username=%{mschap:User-Name:-None} -> --username=test@abc.ac.uk ... Exec-Program output: Logon failure (0xc00004f)
How can I fix the problem of authentication users that type in there local realm @abc.ac.uk with their username as well as proxing eduroam users? Basically, how do I authenticate local user or stripe local realm before pass to active directory for authentication?
Use unlang to strip the realm off, something like this before the call to eap: if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) { update request { Stripped-User-Name := "%{1}" } if ("%{3}") { update request { Realm := "%{3}" } } else { # this will reject requests that have no realm reject } } Then in your mschap module config use Stripped-User-Name instead of User-Name, e.g. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>