UPN and mschap issues

Phil Mayers p.mayers at imperial.ac.uk
Fri Nov 27 11:10:11 CET 2015

On 27/11/15 09:44, Franks Andy (IT Technical Architecture Manager) wrote:

> Anything inside the EAP tunnel doesn't like you playing with the
> username though, so we can't do UPN based MSCHAPv2 lookup - UPN
> format doesn't work, as far as I can tell, with the ntlm_auth program
> and I can't update the username. I can force the mschap auth process
> to use an alternative user name, but the hash then doesn't work, and
> I can't work out how to update the mschap:user-name. All this is

Altering the in-packet username or the username on the ntlm_auth command 
line is futile; as you've indicated, the client does the crypto on the 
basis of the UPN, and that's what you need to pass to ntlm_auth so that 
it can be in turn passed to the DC and mixed into the chal/resp 
verification/calculation correctly.

I was under the impression that ntlm_auth should work with a UPN where 
LHS != samaccountname, but it's really a Samba question - I'd suggest 
asking on the Samba list.

I don't have any easy way to test locally I'm afraid.

More information about the Freeradius-Users mailing list