Removing domain prefix from login

Phil Mayers p.mayers at imperial.ac.uk
Thu Nov 10 13:38:07 CET 2011 

On 10/11/11 08:15, Alejandro Gandara wrote:
> Hi Alan,
>
> Thanks for your answers and excuse me for my english fill of mistakes.
>
> 2011/11/10 Alan DeKok <aland at deployingradius.com
> <mailto:aland at deployingradius.com>>
>
>     Alejandro Gandara wrote:
>      > I'm authenticating users in RADIUS against LDAP, if I login from
>      > computer with 802.1x configured and users and password taken from
>     domain
>      > automatic. Im getting wrong authenticated because the login has the
>      > following chain.
>      >
>      > DOMAIN\\Users
>      >
>      > How can i avoid that radius read the prefix?
>
>     You should be able to authenticate using just the user name, using
>     ntlm_auth. See the examples in raddb/modules/ntlm_auth
>
>
> Im reading about it. Thanks for this information.
>
>
>      > I've tried to introduce the option prefix in
>     /etc/sites-enable/default ,
>      > but its getting me back errors because of wrong way to introduce
>     that line.
>
>     Yes. Don't define a realm. It won't work.
>
>     Post the debug output. That helps, too.
>
>
> This is my debug output:
>
> rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
> id=112, length=218
> Framed-MTU = 1480
> NAS-IP-Address = 172.20.40.28
> NAS-Identifier = "SW-INT-1-3"
> User-Name = "PRIVATE\\usertest"

Have you edited this debug?

> Service-Type = Framed-User
> Framed-Protocol = PPP
> NAS-Port = 32
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "32"
> Called-Station-Id = "f0-62-81-05-33-40"
> Calling-Station-Id = "f0-4d-a2-bc-77-cd"
> Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1"
> EAP-Message = 0x020a0012014f50544152455c62726f75636f

This decodes as:

\x02\n\x00\x12\x01OPTARE\\brouco

> Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> *[eap] Identity does not match User-Name, setting from EAP Identity.*

This claims MSCHAP and Radius username don't match.

Did you edit the debug?

Don't do that.

Please provide a full debug, like so:

radiusd -X | tee log.txt
# run a test auth
# ctrl+c
# email log.txt

More information about the Freeradius-Users mailing list