Error: User-Name is not the same as MS-CHAP name

Phil Mayers p.mayers at imperial.ac.uk
Mon May 30 11:00:21 CEST 2011


On 05/29/2011 03:10 PM, Francois Gaudreault wrote:
> Hi Phil,
>
> On 11-05-29 6:16 AM, Phil Mayers wrote:
>> Ok, so as before what we're seeing is that the host is sending
>>
>> STIC08862\TechRMC
>>
>> ...in the EAP-Identity response, but:
>>
>> TechRMC
>>
>> ...in the MSCHAP packet (the hex above decodes to that)
>>
>> This is obviously broken, but here's where I get confused: STIC08862
>> doesn't look like a domain name to me. It looks like a machine name.
> It is indeed a machine name. This is where we have problems, this does
> not happen using Windows 7. I tried to set a Realm for that machine name
> without success. The thing I don't understand is why MSCHAP complains
> about that. I mean, correct me if I am wrong, mschap:User-Name will
> *always* strip that part since it looks like a domain.

Forget about all that. Adding Realm's and fiddling with the packet won't 
help; the check is hard-coded into the mschap module as a fairly obvious 
security measure.

For example - suppose I have an environment with two separate domains:

STAFF
STUDENTS

...if the mschap module did *not* check this, I could rig my mschap 
client to send:

EAP-Identity: STAFF\john
MSCHAP-Name: STUDENT\john

There's no guarantee that STAFF\john and STUDENT\john at the same 
person; you can't just ignore the fact that the client has changed their 
username.

>
>>
>> Is the machine a domain member or not? Is the user logging on locally
>> or with a domain account? Or is this an artefact of the way Novell works?
> The machine is not member of the domain, and the user logs in Novell. So
> when the user logs in, it sends the username information to RADIUS just
> like if a local user logs in.

Ah.

I had assumed the machine was a domain member, because you were talking 
about machine auth (which requires domain membership). I take it there 
are two sets of machines - some in the domain, some not? I assume they 
all have the Novell client installed?


>
>>
>> What happens if you take an ordinary machine, without the Novell
>> client installed, create a local user with the same username/password
>> as a domain user, then use "send username automatically"
> We tried it, and the machine appears to be sending the machine name
> anyway. It will work only if we don't send the credentials automatically.

Usually, people only use "send username automatically" with machines 
which are in the domain. It's possible this is just a bug in Windows XP, 
and that no-one else has ever tried this, so it's never been seen.



More information about the Freeradius-Users mailing list