Dave Mussulman <[EMAIL PROTECTED]> wrote:
> Windows XP supplicant, when set to authenticate off the system, sends
> the username as DOMAIN\user In my testing, I had the preprocess
> with_ntdomain_hack = yes and that stripped it just to user. The problem
> is, later EAP checks the identity against the username and denies the
> packet because they're different.
That hack in the preprocess module shouldn't be used.
> If I disable with_nt_domain_hack in preprocess, it passes the username
> on to ntlm_auth as DOMAIN\user, which fails. I would like the mschap
> module to strip the domain right before it sends it to ntlm_auth. That
> sounds like eap's with_ntdomain_hack should do, but that doesn't appear
> to be working.
You can set up an "ntdomain" realm, or:
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name}
which will do the stripping of the domain name by itself.
And no, it isn't documented anywhere. It should be.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
