Working around broken EAP client

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 11 11:57:20 CEST 2013


Gordon Ross <gr306 at ucs.cam.ac.uk> wrote:

>I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04
>
>I'm wanting to use Freeradius to authenticate 802.1x clients. However,
>one client I need to authenticate I believe is "broken", in that it's
>stripping the suffix on the inner identity.
>
>From running freeradius -X I see:
>
>[mschap] ERROR: User-Name (68983 at phone.cam.ac.uk) is not the same as
>MS-CHAP Name (68983) from EAP-MSCHAPv2
>
>Putting the same credentials into an iPhone allows the iPhone to sign
>onto the network without problems. So I feel it's the client that's
>broken, and not my freeradius setup.
>
>I've seen some warnings that fixing the identity mis-match is a Bad
>Idea, but I need to get this client to work.
>
>I found a page[1] that has a similar problem, but for Windows domain
>prefixes being stripped. It suggests that adding:
>
>if ( User-Name =~ /^machine.*/ ) {
>     update request {
>         MS-CHAP-User-Name = "%{request:User-Name}"
>     }
>}
>
>to the inner configuration will fix it.
>
>Is it possible to do something similar to add the suffix if it's
>missing ?
>
>Thanks,
>
>GTG
>-- 
>Gordon Ross
>
>[1]
>http://www.packetfence.org/support/faqs/article/authentication-error-user-name-is-not-the-same-as-ms-chap-name-from-eap-mschapv2.html?no_cache=1&cHash=557619254a0e733446140dcefbced985
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

Can we see a full debug? It might help people suggest options. The advice you seem to have dug up seems plain wrong - no idea why they think setting that will help as it will mangle the challenge/response.
-- 
Sent from my phone with, please excuse brevity and typos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130611/e06247e0/attachment.html>


More information about the Freeradius-Users mailing list