UPN and mschap issues
Phil Mayers
p.mayers at imperial.ac.uk
Fri Nov 27 11:10:11 CET 2015
On 27/11/15 09:44, Franks Andy (IT Technical Architecture Manager) wrote:
> Anything inside the EAP tunnel doesn't like you playing with the
> username though, so we can't do UPN based MSCHAPv2 lookup - UPN
> format doesn't work, as far as I can tell, with the ntlm_auth program
> and I can't update the username. I can force the mschap auth process
> to use an alternative user name, but the hash then doesn't work, and
> I can't work out how to update the mschap:user-name. All this is
Altering the in-packet username or the username on the ntlm_auth command
line is futile; as you've indicated, the client does the crypto on the
basis of the UPN, and that's what you need to pass to ntlm_auth so that
it can be in turn passed to the DC and mixed into the chal/resp
verification/calculation correctly.
I was under the impression that ntlm_auth should work with a UPN where
LHS != samaccountname, but it's really a Samba question - I'd suggest
asking on the Samba list.
I don't have any easy way to test locally I'm afraid.
More information about the Freeradius-Users
mailing list