AW: EAP identity - username check

Carl Wahlin carl_wahlin at
Wed Aug 9 21:52:43 CEST 2006

This is not really an option since a user could possibly change the User-Name attribute to another user before sending to the Radius. The user could then make himself have the radius assign him the other users attributes (ie get onto that users network) since the user will be in the database, and the cert will be valid.I will give Alan DeKoks solution a try tomorrow. I can see how this would work, although I'm not sure about how it will interpret the / since MS uses \ for domain names!>> sql_user_name = %{mschap:User-Name:-%{User-Name}}/Carl From: Kraemer.Armin at web.deTo: freeradius-users at lists.freeradius.orgDate: Wed, 9 Aug 2006 17:43:29 +0200Subject: AW: EAP identity - username check

I had the same problem here and my only
solution was to turn off this check of the username. 


of the username. 


Ou only have to comment out the
check_cert_cn  Entry at the eap.conf to deaktivate this. Butt his turn of the
check completely also for user certificates. I changed the username from „host/username“
to „username$“ which is mostly needed using the mschap Modul
aktivating „with_ntdomain_hack“ and adding „mschap: “
to the needed authentication part like ldap section or mysql section like 




Maybe there is an other solution to fix
that problem without deaktivate this feature?



Von: at
[ at] Im Auftrag von Carl Wahlin
Gesendet: Mittwoch, 9. August 2006
An: freeradius-users at
Betreff: EAP identity - username



We are trying to get machine certificates to with freeradius for WLAN.

We are using the sql user database plugin as we need to return attributes
(which vlan the user belongs to, QoS etc) and it all works fine untill we
install the certificates as machine certs. Windows changes the User-Name to
host/username and that causes the username not to be correct according to what
is in the database, and also the User-Name does not match the cn in the cert.
We can change the attribute with search and replace, but then EAP gives us the
error "identity does not match the User-Name, setting from EAP

Is there a way around this? It would be nice to be able to turn off the EAP
identity - User-Name check as we really do not think it is necesary in our
solution (and do not really see a security benifit of having it).

Any ideas?


With MSN Spaces email straight to your blog. Upload jokes,
photos and more. It's free! It's free!

Try where your online world comes together - with news, sports, weather, and much more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list