UPN and mschap issues

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Fri Nov 27 11:25:57 CET 2015

Thanks Phil,
  Suspected as much, I've checked the previous Samba mailing lists but can't see much, I'll give it a go anyway, posted here as it may have been a common issue, or someone may have jumped up and said "highly experimental feature X/ *libwbclient?* fixes that"..
Thanks again

> Anything inside the EAP tunnel doesn't like you playing with the 
> username though, so we can't do UPN based MSCHAPv2 lookup - UPN format 
> doesn't work, as far as I can tell, with the ntlm_auth program and I 
> can't update the username. I can force the mschap auth process to use 
> an alternative user name, but the hash then doesn't work, and I can't 
> work out how to update the mschap:user-name. All this is

Altering the in-packet username or the username on the ntlm_auth command line is futile; as you've indicated, the client does the crypto on the basis of the UPN, and that's what you need to pass to ntlm_auth so that it can be in turn passed to the DC and mixed into the chal/resp verification/calculation correctly.

I was under the impression that ntlm_auth should work with a UPN where LHS != samaccountname, but it's really a Samba question - I'd suggest asking on the Samba list.

I don't have any easy way to test locally I'm afraid.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list