FR 3.0.4: MS-CHAP2-Response is incorrect
Alan DeKok
aland at deployingradius.com
Tue Dec 2 14:54:40 CET 2014
On Dec 2, 2014, at 4:52 AM, Heiko O <puettagoras at gmail.com> wrote:
> Authenication works fine when Users only enter "username",but i want
> the users to login with something like "username at thedomain.net". But
> when doing this i get
>
> (0) preprocess : --> testuser
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
> (0) [mschap] = ok
> (0) [digest] = noop
> (0) suffix : Checking for suffix after "@"
> (0) suffix : No '@' in User-Name = "testuser", looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) eap : No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) sql : EXPAND %{User-Name}
> (0) sql : --> testuser
So… are you logging in as “username at thedomain.net”, or as “testuser”?
> I did a lot of try-and-error with suffix ans Strip and configuring,
> but i can't get mschap to work.
The default configuration works. Try it.
> How can I teach mschap to work with "user at thedomain.net"?
> BTW: The radcheck-table contains simply "username" with no realms, and
> that cannot be changed.
That’s fine. The SQL lookups are done using the Stripped-User-Name. The MS-CHAP calculations are done using the normal User-Na,e.
> The second question is about proxying. Since the is only one
> RADIUS-Server, proxying is not needed. I wonder if i really have to
> add a realm and proxy the request to localhost.
No.
> Is there a way to say "Hey, just answer all queries with
> @thedomain.org and don't proxy it to yourself"?
Read raddb/proxy.conf. This is documented.
Alan DeKok.
More information about the Freeradius-Users
mailing list