Change username for MSCHAPv2
Alan DeKok
aland at deployingradius.com
Fri Jun 30 19:25:26 CEST 2017
On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele at verzeletti.org> wrote:
>
> Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory.
> User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.
ntlm_auth just passes data from FreeRADIUS to AD. If the user is being rejected, it's not because of ntlm_auth.
> With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
>
> authorize {
> update request {
> User-Name := `/path/to/my/script '%{User-Name}'`
> }
Don't edit the User-Name. It's wrong.
You also don't need to run a script to do this. FreeRADIUS can do LDAP queries natively.
> I have an error in the log
>
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Identity does not match User-Name, setting from EAP Identity
> (0) eap: Failed in handler
> (0) [eap] = invalid
> (0) } # authenticate = invalid
Yup
In the short term, you can do:
authorize {
update request {
Stripped-User-Name := `/path/to/my/script '%{User-Name}'`
}
}
And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.
Alan DeKok.
More information about the Freeradius-Users
mailing list