Error: User-Name is not the same as MS-CHAP name

Robert Mc Cready robert-mccready at cspi.qc.ca
Tue May 10 16:35:26 CEST 2011


If the User-Name is being rewritten it is not intentional.

Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in the debug output of the server that
User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.

http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm


freeradius:/etc # diff -qr  raddb raddefault
Files raddb/clients.conf and raddefault/clients.conf differ
Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ
Files raddb/modules/ldap and raddefault/modules/ldap differ
Files raddb/modules/mschap and raddefault/modules/mschap differ
Files raddb/sites-available/inner-tunnel and
raddefault/sites-available/inner-tunnel differ
Files raddb/sites-enabled/inner-tunnel and
raddefault/sites-enabled/inner-tunnel differ

----------------------------------------------------------------------------
-----------------

freeradius:/etc # diff  raddb/clients.conf raddefault/clients.conf
206,209d205
< client 10.0.0.0/8 {
<        secret          = testing123
<        shortname       = net1
< }

----------------------------------------------------------------------------
----------------

freeradius:/etc # diff raddb/modules/attr_rewrite
raddefault/modules/attr_rewrite
32,65d31
<
< attr_rewrite copy.user-name {
<                 attribute = Stripped-User-Name
<                 new_attribute = yes
<                 searchfor = ""
<                 searchin = packet
<                 replacewith = "%{User-Name}"
<         }
<
< attr_rewrite remove-domain-name {
<                 attribute = Stripped-User-Name
<                 searchfor = "(\.test\.local)"
<                 searchin = packet
<                 new_attribute = no
<                 replacewith = ""
<         }
<
< attr_rewrite add-dollar-sign {
<                 attribute = Stripped-User-Name
<                 searchfor = "^(host/.*)"
<                 searchin = packet
<                 new_attribute = no
<                 replacewith = "%{1}$"
<         }
<
< attr_rewrite strip-realm-name {
<                 attribute = Stripped-User-Name
<                 new_attribute = no
<                 searchin = packet
<                 searchfor = "^(.*[\\/]+)"
<                 replacewith = ""
<                 max_matches = 1
<         }
<

----------------------------------------------------------------------------
--------------

freeradius:/etc # diff  raddb/modules/ldap  raddefault/modules/ldap
33,36c33,36
<       server = "10.220.7.7"
<       identity = "cn=tics,o=test"
<       password = ldappass
<       basedn = "o=test"
---
>       server = "ldap.your.domain"
>       #identity = "cn=admin,o=My Org,c=UA"
>       #password = mypass
>       basedn = "o=My Org,c=UA"
77,79c77,78
<               #start_tls = no
<               start_tls = yes
<               port=636
---
>               start_tls = no
>
118c117
<       password_attribute = nspmPassword
---
>
124c123
<       edir_account_policy_check = yes
---
>       edir_account_policy_check = no

----------------------------------------------------------------------------
------------------------------

freeradius:/etc # diff raddb/modules/mschap  raddefault/modules/mschap
37c37
<       with_ntdomain_hack = yes
---
>
65,66c65
<       #ntlm_auth = "/path/to/nitlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
<       ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
---
>       #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


----------------------------------------------------------------------------
----------------------------
 
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-available/inner-tunnel
48,52d47
<       if (User-Name !~ /^host\//) {
<                 update control {
<                 MS-CHAP-Use-NTLM-Auth := no
<                 }
<         }
97,101c92
<       copy.user-name
<       remove-domain-name
<       add-dollar-sign
<       strip-realm-name
<       ntdomain
---
> #     ntdomain
151c142
<       ldap
---
> #     ldap
239,241c230,232
<       Auth-Type LDAP {
<               ldap
<       }
---
> #     Auth-Type LDAP {
> #             ldap
> #     }
299c290
<       ldap
---
> #     ldap
311d301
<               ldap

----------------------------------------------------------------------------
----------------------------

Robert Mc Cready wrote:
> I do not rewrite the User-name attribute I rewrite only the
> Stripped-User-Name attribute with these:

  No.  Go READ the debug log you posted.  The "inner-tunnel" virtual
server gets:

Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ...
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "CAD08862\\ldapuser"

  You then RE-WRITE the User-Name.

  Don't do that.

  As you were told, re-writing the User-Name for EAP is wrong.  Don't do it.

> The User-Name attribute is untouch.

  You can believe what you *think* happens.  Or you can believe the
debug output of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6110 (20110510) __________

Le message a ete verifie par ESET NOD32 Antivirus.

http://www.eset.com
 




More information about the Freeradius-Users mailing list