Hi, > I have configured everything and gotten free radius to authenticate off > /etc/samba/smbpasswd via the etc_smbpasswd module. The problem I have > run into is when I switch the securew2 windows xp eap-ttls client to use > the current logged on user credentials. Then, SecureW2 sends the > username in the format of DOMAIN/user (which in this case is HTN/josh). > Authentication then fails because of this extra domain part in the user. > Ok fine, I first enable the nt_domain_hack in the mschap module then I > configured realm ntdomain and simply set a default realm in proxy.conf > to strip off the domain part. Nope, that fails (output will be included > below). I also tried nostrip but that also fails obviously. Also tried > silently stripping the domain in pre-process in radiusd.conf. Auth is > successful but finally rejected because the user doesnt match the > original HTN/josh user sent.
you need to look at using the Sripped-User-Name rather than just the User-Name (because that contains the REALM/ stuff). alternatively, you can specify in proxy.conf to proxy anything with REALM/ to your RADIUS server with realm stripping on - this should send the request back to your server with just User-Name plain.. but its not clean. As Alan DeKok states, this sort of thing is very nice in 2.x FreeRADIUS, it just works(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
