Masquerading MSCHAPv2 User-Name?
David Herselman
dhe at syrex.co
Fri Feb 19 21:08:33 CET 2021
The following appears to work:
authorize {
<snip>
update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
if (&sAMAccountName) {
update request {Yubikey-OTP = "%{User-Name}"}
update control {Auth-Type := "YubiCHAP"}
}
<snip>
if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files
if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
<snip>
authenticate {
Auth-Type YubiCHAP {
mschap
yubikey
}
Regards
David Herselman
________________________________
My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...
More information about the Freeradius-Users
mailing list