Error: User-Name is not the same as MS-CHAP name

ironrake at yahoo.com ironrake at yahoo.com
Mon May 30 16:34:13 CEST 2011


In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines.

Here I check for the form "\full.windows.domain.name". If this is present, I use ntlm-auth. If it is not, I strip off the "\host" part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts.
Sent from Verizon Wireless

-----Original Message-----
From: Phil Mayers <p.mayers at imperial.ac.uk>
Sender: freeradius-users-bounces+ironrake=yahoo.com at lists.freeradius.org
Date: Mon, 30 May 2011 14:55:03 
To: FreeRadius users mailing list<freeradius-users at lists.freeradius.org>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Error: User-Name is not the same as MS-CHAP name

On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
>>
>>There's no guarantee that STAFF\john and STUDENT\john at the same 
>>person; you can't just ignore the fact that the client has changed 
>>their username.
>>
>True.  But I don't think it is possible to send a different Username in 
>EAP-Identity and MSChap Username in the same EAP session since the 
>second is derived from the first.  I have seen such setup where you have 
>two domain, RADIUS would use the Realm to differentiates the two.

For a legit client, yes. A malicious client can send anything it wants.

>
>Is there a way we could work around this hard-coded check since in our 
>case, we only have "one john"?

Sure; the check is just one line; grep the source code for it and 
comment it out.

What I really want to understand is, whether the check is too strict and 
FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will 
try to check this tomorrow.

e.g. maybe the check should be:

if eap.username == mschap.username:
  ok
elif not mschap.domain:
  if eap.stripped-user-name == mschap.username:
    ok
  reject
else:
  reject

I will try to investigate this tomorrow when I get back to the office.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list