MSCHAP Machine/User Authentication with Windows

Matthew Newton mcn4 at leicester.ac.uk
Mon May 11 11:48:38 CEST 2015


On Mon, May 11, 2015 at 05:18:06PM +1000, Tynan Young wrote:
> I have a near default freeradius3 setup using NTLM to authenticate our
> PEAP MSCHAP wireless clients. Non-windows machines work fine (mac,
> phones etc), but I'm having difficulty getting Windows 7/8
> authenticated using machine authentication or user authentication.

...

> Received Access-Request Id 221 from 172.17.6.253:32985 to
> 192.168.254.181:1812 length 218
> User-Name = 'TESTDOMAIN\\testuser'
> NAS-IP-Address = 172.17.6.253
...
> (10)   authorize {
> (10)   filter_username filter_username {
> (10)     if (User-Name != "%{tolower:%{User-Name}}")
> (10) EXPAND %{tolower:%{User-Name}}
> (10)    --> testdomain\\testuser
> (10)     if (User-Name != "%{tolower:%{User-Name}}")  -> TRUE
> (10)    if (User-Name != "%{tolower:%{User-Name}}")  {
> (10)     [reject] = reject
> (10)    } # if (User-Name != "%{tolower:%{User-Name}}")  = reject
> (10)   } # filter_username filter_username = reject
> (10)  } #  authorize = reject
> (10) Invalid user: [TESTDOMAIN\\testuser] (from client
> ap1-38-wlsclt-00 port 0 cli 5C514FFA8C73)

This.

Look at raddb/policy.d/filter, and ensure the unlang in
"filter_username" that is to reject mixed-case usernames is
commented out.

Or upgrade to v3.0.8, where this issue is fixed.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list