Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready
robert-mccready at cspi.qc.ca
Mon May 9 20:14:21 CEST 2011
I do not rewrite the User-name attribute I rewrite only the
Stripped-User-Name attribute with these:
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}
attr_rewrite remove-domain-name {
attribute = Stripped-User-Name
searchfor = "(\.nw2\.test\.local)"
searchin = packet
new_attribute = no
replacewith = ""
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^(host/.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
attr_rewrite strip-realm-name {
attribute = Stripped-User-Name
new_attribute = no
searchin = packet
searchfor = "^(.*[\\/]+)"
replacewith = ""
max_matches = 1
}
This is where I use Stripped-User-Name:
freeradius:/etc/raddb # grep -ir Stripped-User-Name * | grep -v \#
modules/attr_rewrite: attribute = Stripped-User-Name
modules/attr_rewrite: attribute = Stripped-User-Name
modules/attr_rewrite: attribute = Stripped-User-Name
modules/attr_rewrite: attribute = Stripped-User-Name
modules/ldap: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
The User-Name attribute is untouch.
[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2
As I mentionned before the host name (CAD08862) is not a domain name it's a
computer account name.
I tried with_ntdomain_hack, no luck.
freeradius:/etc/raddb # grep -ir with_ntdomain_hack * | grep -v \#
modules/preprocess: with_ntdomain_hack = no
modules/mschap: with_ntdomain_hack = yes
Windows XP debug: http://www.cspi.qc.ca/sinfrmc/windowsxp.htm
Windows 7 debug: http://www.cspi.qc.ca/sinfrmc/windows7.htm
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
> The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one
> problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
> (CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
> EAP-MSCHAPv2". Users log on locally, the host name is not a domain name.
> Windows 7 clients work fine because they send only the username. I do
> some rewrites so I can get the username for the LDAP authentication and
> the computers name for computer account authentication (I'm not familiar
> with unlang yet). We use FR 2.1.10.
>
> Any idea how to fix this ?
>
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := "%{2}"
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will "just work"
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6106 (20110509) __________
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __________
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6107 (20110509) __________
Le message a été vérifié par ESET NOD32 Antivirus.
http://www.eset.com
More information about the Freeradius-Users
mailing list