Strip off the domain part from the User-Name
Nolan King
nking at mnwd.com
Fri Mar 25 17:35:17 CET 2011
freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules.
in mschap module, i have a line like:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-re$
also, in ldap:
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and mschap lines).
I use this method to auth users connecting to wireless APs with xp, ios, linux, and win7 machines. I want users to be forced to enter their password to connect, so the clients are configured not to use the domain\username, just username and pw. Set up this way, a client sending username in domain\username form will be rejected. I am not sure this is "right", but it allows me to use mschap auth with several different types of clients, and control access with an ldap group without worrying about the domain\user nonsense. Of course, i only have a single domain which simplifies things.
Nolan
>>> On 3/25/2011 at 7:41 AM, in message
<201103251541.07053.thomas.wunder at swt-bamberg.de>, Thomas Wunder
<thomas.wunder at swt-bamberg.de> wrote:
> On Friday 25 March 2011 11:15:58 you wrote:
>> Use %{mschap:User-Name} everywhere; this will give the bare username
> That sounds consequent but what exactly do you mean by "everywhere"?
> I use the policy.conf (as you can see by the debug output from my previous
> posting) to define some policies that are later on used within the 'authorize
> {...}' groups of sites-available/default and sites-available/inner-tunnel. I
> don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
> information from my LDAP-server. The only place where I consciously reference
> any User-Name attribute is the modules/ldap and there I already do as you
> suggest (see attachment).
>
> Where else do I need to explicitly specify '%{mschap:User-Name}' to have
> rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
> rlm_mschap ignore the domain component of the user name)?
>
> My modules/mschap config file is pretty lucid at present:
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = no
> }
>
> And what about the realms approach? Can I save the trouble?
>> (and also correctly translate host/name.domain.com, if you later do
>> machine auth)
>
> Thanks!
More information about the Freeradius-Users
mailing list