On Tue, Feb 03, 2004 at 03:21:21PM -0600, Michael Griego wrote: > On Tue, 2004-02-03 at 14:50, Michael Gernoth wrote: > > I think the peap-module needs to use the username without the domain > > for authentication. > > Not true... The PEAP module (Especially if you're using EAP-MSCHAPv2 as > the inner EAP method) MUST use the full Identity/UserName as sent by the > supplicant. If it doesn't, then the MSCHAP handshake will fail as the > usernames won't match (see many discussions on this list about problems > with MS-CHAP and stripped-user-name versus original user-name)
Tried it again with a current cvs-checkout. When using a realm (with the correct stripped-user-name) it does not work. Log: http://www.zerfleddert.de/freeradius/log_with_realm.txt Config: http://www.zerfleddert.de/freeradius/radiusd.conf.realm http://www.zerfleddert.de/freeradius/proxy.conf > > Trying to use hints gets me the same error I posted previously with my > > try with_ntdomain_hack (rlm_eap: Identity does not match User-Name, > > setting from EAP Identity.). > > Don't use with_ntdomain_hack. But when I disable the User-Name plausibility checks in eap.c and enable with_ntdomain_hack, it authenticates successfull (and only if the password is correct): http://www.zerfleddert.de/freeradius/log_with_ntdomain.txt http://www.zerfleddert.de/freeradius/radiusd.conf.ntdomain (The password for user michael is in these cases "asdf") I use the Windows-XP (SP1) 802.1x supplicant to authenticate. The NAS is an Orinoco AP-1000 with Karlnet-firmware 4.44 loaded to support all EAP-Types. The domain "MARVIN" is not really an domain, but the hostname of the laptop, which windows prepends as a domain. Is Windows (or I) doing something silly here? Regards, Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
