Freeradius authenticate against Active directory

[Matthew Newton]

On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
> expand: --username=%{mschap:User-Name:-None} -> --username=test at abc.ac.uk
...
> Exec-Program output: Logon failure (0xc00004f) 

> How can I fix the problem of authentication users that type
> in there local realm @abc.ac.uk with their username as well as proxing eduroam
> users?
> Basically, how do I authenticate local user or stripe local
> realm before pass to active directory for authentication?

Use unlang to strip the realm off, something like this before the call to eap:

  if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {
      update request {
          Stripped-User-Name := "%{1}"
      }
      if ("%{3}") {
          update request {
              Realm := "%{3}"
          }
      }
      else {
          # this will reject requests that have no realm
          reject
      }
  }

Then in your mschap module config use Stripped-User-Name instead of User-Name, e.g.

  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>