PEAP problem when using domain suffix
p.mayers at imperial.ac.uk
Fri Jun 6 13:36:25 CEST 2008
A.L.M.Buxey at lboro.ac.uk wrote:
> you need to remove the domain suffix but you cannot
> play with the User-Name attribute or the response will
> be wrong - use the 'stripped-user-name' attribute
> for the authenticate step - and ensure that if you
> are querying an LDAP or AD et cin that stage that DOMAIN
> being used is the correct domain - either overwrite
> the value or set it to NULL
The problem is that rlm_mschap always reads the "User-Name" attribute
for generating the chal/resp i.e. when *not* using ntlm_auth.
If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\"
but not suffix formats.
Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the
username string fed into the chal/resp code, it should really be on all
the time, and be extended to handle suffix formats.
More information about the Freeradius-Users