I had to install a previous release so I modified the cb.c function. I know what I've done is awful but it was a extreme solution. I'll test yours next week and reinstall the server as soon as posible.
Thanks again
2006/6/7, Phil Mayers <[EMAIL PROTECTED]>:
wekz wrote:
> And if they are, what efect has with_ntdomain_hack=yes. Does it affect
> to all??
>
> Well, Hi you all I hope haven't been too direct ;)
>
> I'll getting more troubles as I do more complex configurations.
>
> I ask this because first I had to authenticate users by machine
> authentication. The users in this case sends User-Name like
> host/username and the only way I found for working this out was to use
> ntdomain realm with "/" as the delimiter and enable with_ntdomain_hack.
> The other options stripes the User-Name but then packets doesn't match
> EAP-Identity ( at least one of them ), that is why I used ntdomain, for
Yes, this is a pain. The correct thing to do is below
> being able to use with_ntdomain_hack.
FreeRadius 1.1.0 has code to do this for you - it will take names of the
form "host/blah" and turn them into "blah$" *IF* you are using the
"%{mschap:User-Name}" expansion. The "%{User-Name}" is left alone,
meaning EAP carries on working.
>
> Now I've got pda-users that sends domain\username and if I don't use
> ntdomain & with_ntdomain_hack it fails. So, that's why I ask if multiple
> ntdomains are allowed and how.
Again, this is annoying.
The best way I've found is to have this:
proxy.conf (contains only "real" domains)
realm THEDOMAINNAME {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
realm NULL {
type = radius
authhost = LOCAL
accthost = LOCAL
# see [1] for strip
strip
}
radiusd.conf (portions omitted):
modules {
mschap {
authtype = MS-CHAP
with_ntdomain_hack = yes
# this all goes on one line
# see [2] for mschap:User-Name
ntlm_auth = "/path/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
}
authorize {
preprocess
ntdomain
eap
mschap
}
The various bits ensure:
1. "strip" in the realms means there is always a realm-free
"%{Stripped-User-Name}" variable, useful for e.g. LDAP/file/SQL searches.
2. The "with_ntdomain_hack" create an mschap:User-Name variable which
will always have the domain stripped correctly - "dom\user" goes to
"user", and "host/machine" goes to "machine$"
>
> Any method or idea will be welcome.
>
> Thanks
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
