I must have NT domain hack configured wrong.
From a fresh installation of Freeradius 2 on Ubuntu 13.10 Server, with a single test user added to the users file, and with mschap turned on, I've successfully received an access-accept response when testing with radtest both on the inner tunnel port 18120 and the regular 1812 port using mschap [1]. The test user is setup to mirror a user on a test windows laptop, using the HOSTNAME\username convention. On my first attempt to connect the laptop, I receive the below error about the inner username matching neither the outer username nor the eap identity.
Info: [files] users: Matched entry HOSTNAME\me at line 93 ... Info: [peap] Identity - HOSTNAME\me ... ERROR: User-Name (HOSTNAME\me) is not the same as MS-CHAP Name (me) from EAP-MSCHAPv2 So from what I've read this has been addressed by adding the with_ntdomain_hack flag in the mschap module to 'yes'. However, as shown in the referenced pastebins [2][3], it appears to have no effect. There is one other place in the configuration where with_ntdomian_hack is present, which is in the preprocess module, however it specifically says in the comments not to use it. Based on observations, it seems to strip the "HOSTNAME\\" from the username (but not the eap identity). I must have done something wrong when I enabled the with_ntdomain_hack in the mschap configuration, as from my understanding that should have caused Freeradius to account for the way Windows performs the authentication. Is there something further I need to do? Server: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:09:01 (ubuntu package version 2.1.12+dfsg-1.2ubuntu5.1 ) End-Host: Windows 7 host, which is not part of a domain, with hostname of HOSTNAME, with a user named 'me', who has a password 'PASSWORD' End-Host Network Profile: Server validation turned off since test certs are being used, "Use windows username/password" is on. NAS: Tomato 1.28 [1] radtest log: http://pastebin.com/S5Kb1ggd [2] with_ntdomain_hack off: http://pastebin.com/CnFcXWAX [2] with_nt_domain_hack on: http://pastebin.com/KS8AJPbc -Matt
Hi,
however it specifically says in the comments not to use it. Based on observations, it seems to strip the "HOSTNAME\\" from the username (but not the eap identity).
ensure that you are calling the required modules in the inner-tunnel (as you are?) for the default tunnel (eg ntdomain after suffix) radtest is just PAP - so expect things to be fine no matter what...you need to run EAP tests against your server - eg with eapol_test (part of wpa_supplicant package...very powerful tool that one). alan
Matthew Berry wrote:
ERROR: User-Name (HOSTNAME\me) is not the same as MS-CHAP Name (me) from EAP-MSCHAPv2
Use version 2.2.5. This error has been changed to a warning.
Server: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:09:01 (ubuntu package version 2.1.12+dfsg-1.2ubuntu5.1 )
We're trying to get debian / ubuntu to use a recent version of the server. For various reasons, it's not easy. Alan DeKok.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Matthew Berry