Hi,
Andree Toonk schrieb:
> >Don't strip the username. Doing so will break EAP, and
> MS-CHAP, as
> >you are discovering.
> >
> >
> But how should I fix this?
> User are know as "test" and not as [EMAIL PROTECTED]
Then change that. If the user uses [EMAIL PROTECTED],
any change you make to the username will invalidate
the MS-CHAP2-Response. (Cryptographically speaking,
MS-CHAP2-Response is a "hash" involving the clear-text
password, the _username_ and the challenge. If you
modify any of those input components (e.g. if the user
gives a bad password or if an attacker tries reusing old
answer to other challenges or if _you_ try to use a
different user name (i.e. not the one the user entered
in his client), authentication fails.
"Normal" protocols don't have the passwords correctness
depend on the username, which explains why it works
with radtest.
> Why do other authentication methods work and how can I
> make peap work?
By not modifying the user name - there's no other way.
HTH,
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
