Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready
robert-mccready at cspi.qc.ca
Tue May 10 16:35:26 CEST 2011
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in the debug output of the server that
User-Name = "CAD08862\\ldapuser" but I don't know want I am doing wrong.
http://www.cspi.qc.ca/sinfrmc/windowsxp2.htm
freeradius:/etc # diff -qr raddb raddefault
Files raddb/clients.conf and raddefault/clients.conf differ
Files raddb/modules/attr_rewrite and raddefault/modules/attr_rewrite differ
Files raddb/modules/ldap and raddefault/modules/ldap differ
Files raddb/modules/mschap and raddefault/modules/mschap differ
Files raddb/sites-available/inner-tunnel and
raddefault/sites-available/inner-tunnel differ
Files raddb/sites-enabled/inner-tunnel and
raddefault/sites-enabled/inner-tunnel differ
----------------------------------------------------------------------------
-----------------
freeradius:/etc # diff raddb/clients.conf raddefault/clients.conf
206,209d205
< client 10.0.0.0/8 {
< secret = testing123
< shortname = net1
< }
----------------------------------------------------------------------------
----------------
freeradius:/etc # diff raddb/modules/attr_rewrite
raddefault/modules/attr_rewrite
32,65d31
<
< attr_rewrite copy.user-name {
< attribute = Stripped-User-Name
< new_attribute = yes
< searchfor = ""
< searchin = packet
< replacewith = "%{User-Name}"
< }
<
< attr_rewrite remove-domain-name {
< attribute = Stripped-User-Name
< searchfor = "(\.test\.local)"
< searchin = packet
< new_attribute = no
< replacewith = ""
< }
<
< attr_rewrite add-dollar-sign {
< attribute = Stripped-User-Name
< searchfor = "^(host/.*)"
< searchin = packet
< new_attribute = no
< replacewith = "%{1}$"
< }
<
< attr_rewrite strip-realm-name {
< attribute = Stripped-User-Name
< new_attribute = no
< searchin = packet
< searchfor = "^(.*[\\/]+)"
< replacewith = ""
< max_matches = 1
< }
<
----------------------------------------------------------------------------
--------------
freeradius:/etc # diff raddb/modules/ldap raddefault/modules/ldap
33,36c33,36
< server = "10.220.7.7"
< identity = "cn=tics,o=test"
< password = ldappass
< basedn = "o=test"
---
> server = "ldap.your.domain"
> #identity = "cn=admin,o=My Org,c=UA"
> #password = mypass
> basedn = "o=My Org,c=UA"
77,79c77,78
< #start_tls = no
< start_tls = yes
< port=636
---
> start_tls = no
>
118c117
< password_attribute = nspmPassword
---
>
124c123
< edir_account_policy_check = yes
---
> edir_account_policy_check = no
----------------------------------------------------------------------------
------------------------------
freeradius:/etc # diff raddb/modules/mschap raddefault/modules/mschap
37c37
< with_ntdomain_hack = yes
---
>
65,66c65
< #ntlm_auth = "/path/to/nitlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
< ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NW2}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
---
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
----------------------------------------------------------------------------
----------------------------
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-available/inner-tunnel
48,52d47
< if (User-Name !~ /^host\//) {
< update control {
< MS-CHAP-Use-NTLM-Auth := no
< }
< }
97,101c92
< copy.user-name
< remove-domain-name
< add-dollar-sign
< strip-realm-name
< ntdomain
---
> # ntdomain
151c142
< ldap
---
> # ldap
239,241c230,232
< Auth-Type LDAP {
< ldap
< }
---
> # Auth-Type LDAP {
> # ldap
> # }
299c290
< ldap
---
> # ldap
311d301
< ldap
----------------------------------------------------------------------------
----------------------------
Robert Mc Cready wrote:
> I do not rewrite the User-name attribute I rewrite only the
> Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The "inner-tunnel" virtual
server gets:
Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b6338671202 ...
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "CAD08862\\ldapuser"
You then RE-WRITE the User-Name.
Don't do that.
As you were told, re-writing the User-Name for EAP is wrong. Don't do it.
> The User-Name attribute is untouch.
You can believe what you *think* happens. Or you can believe the
debug output of the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__________ Information provenant d'ESET NOD32 Antivirus, version de la base
des signatures de virus 6110 (20110510) __________
Le message a ete verifie par ESET NOD32 Antivirus.
http://www.eset.com
More information about the Freeradius-Users
mailing list