How can I change proxy based on username?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Mar 26 16:35:52 CET 2013
On 26/03/2013 15:12, John Horne wrote:
>
>> What is the upstream proxy?
>>
> Microsoft domain controller (DC).
As in, Microsoft NPS running on a DC?
>
>> Can you explain why you want to do this? Obviously it's possible to
>> manipulate the packet in many ways, but your goal may be best
>> accomplished via a different route.
>> -
> The DC will recognise a users userid (e.g. 'jbloggs') provided it has no
> realm. It will also recognise (what I think is the UPN?) which is of the
> form 'j.bloggs at plymouth.ac.uk'.
Well, this depends on how you have your AD setup.
Basically, this whole area is a nest of vipers. It's a complete pain
because windows is inconsistent about when you have to use a
samAccountName, when you may use a userPrincipalName, and it's
complicated even further by the fact that mschap mixes the username (but
not any domain prefix/suffix) into the challenge/response crypto, so the
server has to know which "username" you used.
Just to check I understand you - you currently have an NPS instance that
will successfully authenticate:
jbloggs
j.bloggs at domain
...but fails on:
jbloggs at domain
Correct?
> However, we have to cater for a mixed format of
> 'jbloggs at plymouth.ac.uk', which is currently used by some users and
> working. To do this we need to strip off the realm so that the DC will
> recognise just the userid part ('jbloggs').
But as you say, this ought to cause EAP failures, so it's useless?
More information about the Freeradius-Users
mailing list