AW: EAP identity - username check
Carl Wahlin
carl_wahlin at hotmail.com
Wed Aug 9 21:52:43 CEST 2006
This is not really an option since a user could possibly change the User-Name attribute to another user before sending to the Radius. The user could then make himself have the radius assign him the other users attributes (ie get onto that users network) since the user will be in the database, and the cert will be valid.I will give Alan DeKoks solution a try tomorrow. I can see how this would work, although I'm not sure about how it will interpret the / since MS uses \ for domain names!>> sql_user_name = %{mschap:User-Name:-%{User-Name}}/Carl From: Kraemer.Armin at web.deTo: freeradius-users at lists.freeradius.orgDate: Wed, 9 Aug 2006 17:43:29 +0200Subject: AW: EAP identity - username check
I had the same problem here and my only
solution was to turn off this check of the username.
of the username.
Ou only have to comment out the
check_cert_cn Entry at the eap.conf to deaktivate this. Butt his turn of the
check completely also for user certificates. I changed the username from „host/username“
to „username$“ which is mostly needed using the mschap Modul
aktivating „with_ntdomain_hack“ and adding „mschap: “
to the needed authentication part like ldap section or mysql section like
(mschap:User-Name)
Maybe there is an other solution to fix
that problem without deaktivate this feature?
Armin
Von:
freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org
[mailto:freeradius-users-bounces+kraemer.armin=web.de at lists.freeradius.org] Im Auftrag von Carl Wahlin
Gesendet: Mittwoch, 9. August 2006
17:09
An: freeradius-users at lists.freeradius.org
Betreff: EAP identity - username
check
Hello,
We are trying to get machine certificates to with freeradius for WLAN.
Problem:
We are using the sql user database plugin as we need to return attributes
(which vlan the user belongs to, QoS etc) and it all works fine untill we
install the certificates as machine certs. Windows changes the User-Name to
host/username and that causes the username not to be correct according to what
is in the database, and also the User-Name does not match the cn in the cert.
We can change the attribute with search and replace, but then EAP gives us the
error "identity does not match the User-Name, setting from EAP
Identity".
Is there a way around this? It would be nice to be able to turn off the EAP
identity - User-Name check as we really do not think it is necesary in our
solution (and do not really see a security benifit of having it).
Any ideas?
/Carl
With MSN Spaces email straight to your blog. Upload jokes,
photos and more. It's free! It's free!
_________________________________________________________________
Try Live.com: where your online world comes together - with news, sports, weather, and much more.
http://www.live.com/getstarted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060809/d6dd0883/attachment.html>
More information about the Freeradius-Users
mailing list