Another LDAP/MSCHAPv2 problem
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 10 10:52:41 CET 2012
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
> Doing the MS-CHAP-User-Name change got me this error :
>
> mschapv2] # Executing group from file
> /etc/raddb/sites-enabled/packetfence-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Found NT-Password
> [mschap] ERROR: User-Name (host/dti-dahport) is not the same as MS-CHAP
> Name (dti-dahport$) from EAP-MSCHAPv2
Ah, of course.
I think you're going to need to rewrite the User-Name attribute instead;
that check is there to prevent clients sending a User-Name that differed
from the MS-CHAP value, and circumventing authorization checks.
I will try to come up with a patch that does all this properly later
today, but this should work:
authorize {
...
if (User-Name =~ /^host\/([^.]+)/) {
update request {
User-Name := "%{1}$"
}
}
...
}
Note to the archives: This is NOT GENERAL ADVICE. This advice is
specific to the issue Francois is facing (performing machine auth with
access to the NT-Password, as opposed to via Active Directory)
More information about the Freeradius-Users
mailing list