Strip off the domain part from the User-Name
Thomas Wunder
thomas.wunder at swt-bamberg.de
Wed Mar 23 20:08:35 CET 2011
Hi,
I'm currently trying to configure my Win7 clients to do wired 802.1X authentication using the credentials a user provides at the login screen. Wired 802.1X auth itself works fine but as soon as I have it use the logon credentials (using the "Automatically use my Windows logon name and password (and domain if any).") Windows sends User-Names like 'computername\\username'. That's normal so far I think.
To get the rlm_ldap related stuff working I simply changed my filter and groupmembership_filter settings in modules/ldap to be "[...]uid=%{mschap:User-Name:-%{User-Name}}[...]" instead of "[...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...]" and that works well.
But when it comes to MSCHAP authentication I've got a problem:
I get errors like
"[mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2"
(...which sounds consequent) I've tried solve that problem by changing "with_ntdomain_hack = yes" (I know you recommend against that) without any luck:
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel)
Somewhere I've read that in such a case one should use the realms concept but I can't seem to get it working. There's an entry like
realm ntdomain {
format = prefix
delimiter = "\\"
}
in the modules/realm but what else do I need?
Thanks!fr
Best regards
Tom
More information about the Freeradius-Users
mailing list