Realm Strip
Dennis Xu
dxu at uoguelph.ca
Wed Sep 9 15:48:49 CEST 2015
This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2. It did not work. ACS5 still sees the whole username(i.e, dxu at uoguelph.ca) with the suffix.
I added the following to the proxy.conf file:
realm uoguelph.ca {
type = radius
authhost = acs5-test2.uoguelph.ca:1812
accthost = acs5-test2.uoguelph.ca:1813
secret = testing123
}
I added followings to the radiusd.conf file:
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
authorize {
preprocess
mschap
suffix
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
Did I miss anything?
Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?
Thank you for your help!
---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph
519-824-4120 Ext 56217
dxu at uoguelph.ca
www.uoguelph.ca/ccs
More information about the Freeradius-Users
mailing list