----- Original Message -----
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" <[email protected]>
Sent: Friday, June 06, 2008 8:17 PM
Subject: Re: PEAP problem when using domain suffix
Phil Mayers wrote:
[EMAIL PROTECTED] wrote:
hi,
you need to remove the domain suffix but you cannot
play with the User-Name attribute or the response will
be wrong - use the 'stripped-user-name' attribute
for the authenticate step - and ensure that if you
are querying an LDAP or AD et cin that stage that DOMAIN
being used is the correct domain - either overwrite
the value or set it to NULL
The problem is that rlm_mschap always reads the "User-Name" attribute for
generating the chal/resp i.e. when *not* using ntlm_auth.
If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\"
but not suffix formats.
Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the
username string fed into the chal/resp code, it should really be on all
the time, and be extended to handle suffix formats.
I've written a small patch for 2.0.4 which fixes this:
http://bugs.freeradius.org/show_bug.cgi?id=562
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
That's amazing; thanks for the quick update; would you be so kind as to
provide a very quick HowTo in order to get this implemented...my guess is
something like this:
- download the source of 2.0.4
- merge the patch (but I'm a bit vague on this point - unless you've merged
it already)
- compile it (also a bit vague on updating an existing implementation and
doing make install or whatever)
- test
cheers
gm
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
