PEAP problem when using domain suffix
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 6 14:17:51 CEST 2008
Phil Mayers wrote:
> A.L.M.Buxey at lboro.ac.uk wrote:
>> hi,
>>
>> you need to remove the domain suffix but you cannot
>> play with the User-Name attribute or the response will
>> be wrong - use the 'stripped-user-name' attribute
>> for the authenticate step - and ensure that if you
>> are querying an LDAP or AD et cin that stage that DOMAIN
>> being used is the correct domain - either overwrite
>> the value or set it to NULL
>
> The problem is that rlm_mschap always reads the "User-Name" attribute
> for generating the chal/resp i.e. when *not* using ntlm_auth.
>
> If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\"
> but not suffix formats.
>
> Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the
> username string fed into the chal/resp code, it should really be on all
> the time, and be extended to handle suffix formats.
I've written a small patch for 2.0.4 which fixes this:
http://bugs.freeradius.org/show_bug.cgi?id=562
More information about the Freeradius-Users
mailing list