Change username for MSCHAPv2

[Gabriele Verzeletti]

Hello and thank you for the suggestion.
I've already try to set value in Stripped-User-Name. In the log I can see
the script running sucessfully, and value is set in Stripped-User-Name, but
when it's passed to ntlm_auth the string is empty.



Il 30 Giu 2017 7:25 PM, "Alan DeKok" <aland at deployingradius.com> ha scritto:

> On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele at verzeletti.org>
> wrote:
> >
> > Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> > I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP
> and MSCHAPv2 against Active directory.
> > User account are identified by userPrinciplaName, but ntlm_auth is not
> able to authenticate using this attribute, it looks into samAccountName.
>
>   ntlm_auth just passes data from FreeRADIUS to AD.  If the user is being
> rejected, it's not because of ntlm_auth.
>
> > With an external script I'm able to performa a query on active directory
> and retrieve the samAccountName, but if I update the attribute User-Name
> using
> >
> > authorize {
> >     update request {
> >        User-Name := `/path/to/my/script '%{User-Name}'`
> >    }
>
>   Don't edit the User-Name.  It's wrong.
>
>   You also don't need to run a script to do this.  FreeRADIUS can do LDAP
> queries natively.
>
> > I have an error in the log
> >
> > (0) # Executing group from file /etc/raddb/sites-enabled/default
> > (0)   authenticate {
> > (0) eap: Identity does not match User-Name, setting from EAP Identity
> > (0) eap: Failed in handler
> > (0)     [eap] = invalid
> > (0)   } # authenticate = invalid
>
>   Yup
>
>   In the short term, you can do:
>
> authorize {
>         update request {
>                 Stripped-User-Name :=  `/path/to/my/script '%{User-Name}'`
>         }
> }
>
>   And be sure that the configuration line which runs ntlm_auth uses
> Stripped-User-Name.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html