Error: User-Name is not the same as MS-CHAP name
Phil Mayers
p.mayers at imperial.ac.uk
Sun May 8 12:18:08 CEST 2011
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
> The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one
> problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
> (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
> EAP-MSCHAPv2". Users log on locally, the host name is not a domain name.
> Windows 7 clients work fine because they send only the username. I do
> some rewrites so I can get the username for the LDAP authentication and
> the computers name for computer account authentication (I'm not familiar
> with unlang yet). We use FR 2.1.10.
>
> Any idea how to fix this ?
>
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := "%{2}"
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will "just work"
More information about the Freeradius-Users
mailing list