Re: Credentials format in Windows suplicant

Fri, 10 Jun 2011 08:23:04 -0700 

On 10/06/11 15:32, joanroldan wrote:

Hi everybody,

I have take a look to this post:

http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html


The issue mentioned in that post was fixed in 2.1.10.

Are you running 2.1.10?



And I totally agree with the behaviours described in the table.


Do you? That table does NOT contain:

user@domain

...format credentials.



I have been experiencing the same.  If I type the credentials on prompt of
Windows supplicant like

MYDOMAIN.COM\user
password

The request is accepted:

Fri Jun 10 15:58:51 2011 : Info: ++[eap] returns ok
Fri Jun 10 15:58:51 2011 : Auth: Login OK: [IRTA_NT\\jroldan/<via Auth-Type
= EAP>] (from client WLC_SSCC port 1 cli 00-26-B6-59-F1-EA)

But if I type

u...@mydomain.com
password

I get the next info:
This is not useful. Please show a full debug, from running "radiusd -X | tee log". 


As the configuration of freeradius is for eduroam purpose it would be nice
that user enter the credentials like u...@domain.com, and in function of the
domain the request would be proxied or not.

Is is possible to use this format in spite of NT-domain?
Yes, you just need to configure it appropriately. I suspect your problems is that your "ntlm_auth" line is expanding to: 

 ntlm_auth --username=user@domain ...

...which won't work. %{mschap:User-Name} only handles

DOMAIN\user
host/name.domain.com
plainuser

...it does NOT handle:

user@domain

...but it maybe (probably?) should.
Since a virtual server which is handling eduroam should *ALWAYS* see user@domain, you can write something like this in "inner-tunnel": 

authorize {

  if (User-Name =~ /^([^@]*)@(.+)$/) {
    update request {
      Stripped-User-Name := "%{1}"
      Realm := "%{toupper:%{2}}"
    }
  }
  else {
    reject
  }

  # FIXME: you should check the Realm here is one of yours

  # ...other modules
}

...and then in modules/mschap, the "ntlm_auth" config:

  --username=%{Stripped-User-Name:-%{mschap:User-Name}}

...which will expand as follows:

user@domain -> --username=user
DOMAIN\user -> --username=user
user        -> --username=user
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to