PEAP problem when using domain suffix

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 6 10:55:57 CEST 2008 

Graham Marsh wrote:
> Hi
> 
> Have set up freeradius on a SLES10SP1 box in order to do 802.1X
> authentication. All is fine if the client submits a request using just
> the user name e.g. test05 in the case below:
> 
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 6
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 6
>   rlm_mschap: Told to do MS-CHAPv2 for test05 with NT-Password
> rlm_mschap: adding MS-CHAPv2 MPPE keys
>   modcall[authenticate]: module "mschap" returns ok for request 6
> modcall: leaving group MS-CHAP (returns ok) for request 6
> MSCHAP Success
>   modcall[authenticate]: module "eap" returns handled for request 6
> modcall: leaving group authenticate (returns handled) for request 6
>   PEAP: Got tunneled Access-Challenge
>   modcall[authenticate]: module "eap" returns handled for request 6
> modcall: leaving group authenticate (returns handled) for request 6
> 
> However, if the user submits a request with the domain name appended
> such as @xyz.edu.hk, then the request fails at the same point in the
> process as shown:
> 
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 6
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of radiusd.conf
> modcall: entering group MS-CHAP for request 6
>   rlm_mschap: Told to do MS-CHAPv2 for test08 at xyz.edu.hk with NT-Password
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 6
> modcall: leaving group MS-CHAP (returns reject) for request 6
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 6
> modcall: leaving group authenticate (returns reject) for request 6
> auth: Failed to validate the user.
>   Found Post-Auth-Type
>   Processing the post-auth section of radiusd.conf
> modcall: entering group REJECT for request 6
> 
> I defined the domain suffix in the proxy conf file and set it to LOCAL
> because the local server should process the requests no matter whether
> the suffix is there or not.
> 
> I also tried rewriting the User-Name attribute to remove the suffix
> (which is already done by Stripped-User-Name) but that caused another
> problem.

You will need to strip it; what "other" problem did it cause?

More information about the Freeradius-Users mailing list