Strip off the domain part from the User-Name

Phil Mayers p.mayers at imperial.ac.uk
Mon Apr 4 10:57:27 CEST 2011


On 04/04/2011 07:57 AM, Thomas Wunder wrote:
> Hi, On Friday 01 April 2011 18:32:21 Phil Mayers wrote:
>> On 01/04/11 13:43, Thomas Wunder wrote:
>>> [mschap] No Cleartext-Password configured.  Cannot create
>>> LM-Password. [mschap] Found NT-Password [mschap] ERROR: User-Name
>>> (winmac\tom1) is not the same as MS-CHAP Name (tom1) from
>>> EAP-MSCHAPv2
>>
>> What client are you using?

> My client is an HP ProCurve 2910al edge switch and I'm trying to
> connect to it via the 802.1X (wired) supplicant which is natively
> included in Win7 Professional. (As I said in my very first post the
> whole process of 802.1X authentication/authorization works well
> unless I check the "Automatically use my Windows logon name and
> password (and domain if any)." option what I actually have to)

So it's the windows7 native supplicant?

Then frankly I don't understand how you can be having these problems. 
Loads and loads of people use 802.1x under Windows (including Win7) to a 
FreeRadius server without problems.

The code which is causing you issues is common to both the ntlm_auth 
helper-mode and internal mschap implementations, so everyone is hitting 
that code path. FWIW I think the code does the right thing - 
EAP-Identity replies should be the same as the inner MSCHAP username, 
and attempts to change username should be rejected.

The only thing I can suggest it starting again from scratch with a clean 
install, and making one change at a time.

Sorry I can't be more help.

>>
>> It's sending:
>>
>> EAP-Identity username=winmac\tom
>>
>> ...then a 2nd packet:
>>
>> EAP-MSCHAP username=tom
> What I found particularly strange is the line of output where it says
> "PEAP: Setting User-Name to winmac\tom1". Is this done by the server
> side PEAP implementation or is this related to the client (Windows?)
> side behavior?

It's complicated, but basically after the PEAP tunnel has been 
established, FreeRADIUS asks the client for the username and sets it 
from the reply - so it's the server doing it, from client data.

The packet flow inside the PEAP (SSL) tunnel is as follows:

server: EAP-Identity request
client: EAP-Identity response username=winmac\tom
server: EAP-MSCHAP challenge
client: EAP-MSCHAP response=xxx username=tom

...See the problem? The client is changing the username. This could be 
abused for malicious purposes if allowed, so it's denied.

But it doesn't happen to anyone else.

It's possible the "Use my login credentials" option is broken under 
Win7. AFAIK most people don't use it.

Is the machine in question (WINMAC) a domain member?



More information about the Freeradius-Users mailing list