dot1x with samba workstation accounts part two

steffo76 at steffo76 at
Tue Nov 2 15:01:57 CET 2010

Hi list,

I am new here and would like to respond to a message which has been sent before I was subscribed:

I ran into the same problem and might have a solution that satisfies both sides, I added a configuration option to modules/mschap which is called "enforce_user_flag". With this patch the following happens:

If the disabled flag is set, it rejects anyway. 

If the enforce_user_flag is not set or set to 'yes', mschap checks for the presence of the user flag (this has been the behaviour so far). 

If enforce_user_flag is set to 'no', mschap checks for the presence of the „workstation trust account“  „server trust account“ or „normal user account“. If one of them is present it is satisfied with the flags. 

With this solution mschap behaves like it did before with out of the box settings but is able to honor the workstation or server trust account flags if the configuration option is set accordingly. There would be no need to disable the check of the 'disabled' flag.

It is probably not the best code ever but maybe it helps someone.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-rlm_mschap.diff
Type: text/x-patch
Size: 3259 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list