Error: User-Name is not the same as MS-CHAP name

[Francois Gaudreault]

Hi Phil, and Alan,

I will get you the debug output for Windows XP SP3 boxes (likely Monday).

I will summarise what we have.  Basically, this is a setup where the 
client is using eDirectory to authorize the users using the rlm_ldap 
module.  On the windows boxes, it is configured to do PEAP using 
MSCHAPv2.  When we send a host credential (ie. 
host/mycomputer.domain.tld) it will pass the authorization and during 
the authentication phase, it will use ntlm_auth to ensure that the 
machine is member of the domain.  That part is working fine, the mschap 
module does its job.  For the users, they have windows 7s and windows 
XPs.  Windows 7 appears to be working without problems since the 
username is sent without the computer name as the domain prefix.  The 
problem comes with the windows XP boxes.  If we let windows send the 
credentials automatically (when novell logs in), the LDAP authorization 
will work properly, but the authentication will fail even if the 
Cleartext-Password attribute is set by the LDAP module.  It will throw 
that MS-CHAP error.  We also ensure that everything that comes from 
something that is not matching host/something will use the 
MS-CHAP-NTLM-Auth = No.  The only way to make Windows XP work is to 
disable the "automatically send username" thing and only send the 
username without the domain name.  However, the user experience will 
definitely be terrible.

The NAS Client is an Avaya Access Point.

Thanks for your feedbacks guys, it is appreciated.  I will get you the 
debug information and the sites configuration as soon as I can.

Have a nice weekend.

-- 
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)