Error: User-Name is not the same as MS-CHAP name

Robert Mc Cready robert-mccready at cspi.qc.ca
Sat May 7 20:50:57 CEST 2011 

The "MS-CHAP-Use-NTLM-Auth := no"  did the job but I still have one problem
with Windows XP clients, I get a " [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2". Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do some
rewrites so I can get the username for the LDAP authentication and the
computers name for computer account authentication (I'm not familiar with
unlang yet).  We use FR 2.1.10.

 

Any idea how to fix this ?

 

 

Windows XP debug:  http://www.cspi.qc.ca/sinfrmc/windowsxp.htm

 

Windows 7 debug:     http://www.cspi.qc.ca/sinfrmc/windows7.htm

 

 

 

 

On 05/05/11 15:17, Robert Mc Cready wrote:

> We use Novell eDirectory and DSFW (Directory Services for Windows) 

> which is kind of a Windows domain inside an OU in eDirectory. I want 

> to authenticate users using LDAP and Windows computers account using 

> ntlm_auth. There is only computers accounts in the Windows domain.

> 

> The computer authentication is working fine but the users 

> authentication with LDAP fails if ntlm_auth is configured. If I don't 

> use ntlm_auth the users authentication works. Is there a way to have 

> both of them working together?

 

Yes. Something like this:

 

authorize {

   ...

   if (User-Name !~ /^host\//) {

     update control {

       MS-CHAP-Use-NTLM-Auth := no

     }

   }

   ...

}

-

List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

 

 

 

We use Novell eDirectory and DSFW (Directory Services for Windows) which is
kind of a Windows domain inside an OU in eDirectory. I want to authenticate
users using LDAP and Windows computers account using  ntlm_auth. There is
only computers accounts in the Windows domain. 

 

The computer authentication is working fine but the users authentication
with LDAP fails if ntlm_auth is configured. If I don't use ntlm_auth the
users authentication works. Is there a way to have both of them working
together?

 

We use PEAP.

 

Working user authentication with LDAP debug (ntlm_auth not configured):
http://www.cspi.qc.ca/sinfrmc/ldap_only.htm

 

Working Windows computer account authentication:
http://www.cspi.qc.ca/sinfrmc/mschap_only.htm

 

User account getting rejected debug (with ntlm_auth configured):
http://www.cspi.qc.ca/sinfrmc/mschap_and_ldap.htm

 

 

 

Thanks,

 

 

Robert.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110507/da706b17/attachment.html>

More information about the Freeradius-Users mailing list