UPN and mschap issues

Isaac Boukris iboukris at gmail.com
Sat Nov 28 19:54:12 CET 2015

On Fri, Nov 27, 2015 at 12:10 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 27/11/15 09:44, Franks Andy (IT Technical Architecture Manager) wrote:
>> Anything inside the EAP tunnel doesn't like you playing with the
>> username though, so we can't do UPN based MSCHAPv2 lookup - UPN
>> format doesn't work, as far as I can tell, with the ntlm_auth program
>> and I can't update the username. I can force the mschap auth process
>> to use an alternative user name, but the hash then doesn't work, and
>> I can't work out how to update the mschap:user-name. All this is
> Altering the in-packet username or the username on the ntlm_auth command
> line is futile; as you've indicated, the client does the crypto on the basis
> of the UPN, and that's what you need to pass to ntlm_auth so that it can be
> in turn passed to the DC and mixed into the chal/resp
> verification/calculation correctly.
> I was under the impression that ntlm_auth should work with a UPN where LHS
> != samaccountname, but it's really a Samba question - I'd suggest asking on
> the Samba list.

I also suspect the bug is in samba.
I think windows assumes UPN when it sees the '@' sign and will
retrieve the correct user.
I can tell that UPN (where LHS!=samaccountname) works fine with HTTP
againts IIS using NTLM authentication.

More information about the Freeradius-Users mailing list