Error: User-Name is not the same as MS-CHAP name

Francois Gaudreault fgaudreault at inverse.ca
Mon May 30 13:54:01 CEST 2011 

Hi Phil,

> Forget about all that. Adding Realm's and fiddling with the packet 
> won't help; the check is hard-coded into the mschap module as a fairly 
> obvious security measure.
>
> For example - suppose I have an environment with two separate domains:
>
> STAFF
> STUDENTS
>
> ...if the mschap module did *not* check this, I could rig my mschap 
> client to send:
>
> EAP-Identity: STAFF\john
> MSCHAP-Name: STUDENT\john
>
> There's no guarantee that STAFF\john and STUDENT\john at the same 
> person; you can't just ignore the fact that the client has changed 
> their username.
>
True.  But I don't think it is possible to send a different Username in 
EAP-Identity and MSChap Username in the same EAP session since the 
second is derived from the first.  I have seen such setup where you have 
two domain, RADIUS would use the Realm to differentiates the two.

Is there a way we could work around this hard-coded check since in our 
case, we only have "one john"?

>
> Ah.
>
> I had assumed the machine was a domain member, because you were 
> talking about machine auth (which requires domain membership). I take 
> it there are two sets of machines - some in the domain, some not? I 
> assume they all have the Novell client installed?
Correct, the machines are not member of an AD domain.  However, they 
have the Novell Client installed, and they are using a kind of AD tree 
in their eDirectory structure.  So machine auth works the same as if it 
was an AD domain.  The users are not member of that special tree.

>
> Usually, people only use "send username automatically" with machines 
> which are in the domain. It's possible this is just a bug in Windows 
> XP, and that no-one else has ever tried this, so it's never been seen.
It is possible that in Windows XP, something is broken at the supplicant 
level.  In windows 7,  the OS is brilliant enough not to send the 
machine name.  However, mainly 80% of his machines are Windows XP.


-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

More information about the Freeradius-Users mailing list