Another LDAP/MSCHAPv2 problem
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 9 18:06:10 CET 2012
On 09/02/12 17:02, Phil Mayers wrote:
> On 09/02/12 16:49, Francois Gaudreault wrote:
>> On 12-02-09 11:41 AM, Alan Buxey wrote:
>>> hmm, with nt_domain_hack = yes and --username=%{%{mschap:User-Name}
>>> used for
>>> the auth attempt , things shoud work
>>
>> By saying "--username=%{mshcap:user-name}" you refer to the ntlm_auth
>> line in the mschap module right? However, we are not using AD, we are
>> using LDAP populating the NT-Password field, we don't need this
>> ntlm_auth line in the mschap module do we? Like I said, it's working
>> well with user authentication.
>>
>
> Can you share the unobfuscated values for an attempt? The MS-CHAP
> challenge/response, NT-Password and User-Name? I've got a little script
> that performs blob generation and validation, and I can see if it's
> using name$ or host/name.domain as the challenge mix-in.
>
Also, maybe try this:
authorize {
...
update request {
MS-CHAP-User-Name = "%{mschap:User-Name}"
}
...
}
This should expand to "name$" for "host/name.domain". The mschap module
will prefer MS-CHAP-User-Name as input to to challenge generation, and
may work.
More information about the Freeradius-Users
mailing list