Hi Alan,
Thanks for info. Next question is "what??" HeHe. I started looking at
the files you suggested and I am confused.
First you mention looking into the realm information, did that, it is
looking like that may not be to hard to do, if I am using the FR server to
access the LDAP server then I just need to set a realm of ntdomain and
auth=LOCAL, correct? Then you go on to say strip the domain at the LDAP
lookup, well if I do it there wouldn't that fix the problem regardless of
changing the realm? You go on to explain that I should do the LDAP lookup in
the inner-tunnel config, I have no problem with this, it makes sense, the
problem I have is how do you specify the inner tunnel in the configuration?
Remember, I am new to FreeRadius, been using Cisco ACS for a few years now
so I know about Radius in general, just not how to configure FreeRadius and
docs are a bit hard to come by. If you can specify the files I should look at
to configure the inner tunnel authentication and where to specify stripping the
domain name pre-ldap authentication that would help a lot. I was not sure if I
should attempt stripping the domain in the realm portion or right before the
ldap auth.
Thanks again, I will continue and try to figure out where to do this until I
hear back.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE>>> On Friday, January 21, 2011 at 11:56 PM, in message >>> <[email protected]>, Alan DeKok >>> <[email protected]> wrote: Brett Littrell wrote: > I am trying to strip the domain name from a userid in the most > efficient way possible, I am using version 2.1.1. See the "realms" module, and the "realm" definition in raddb/proxy.conf. > I am using MSChapV2 Then stripping the realm isn't a good idea. The User-Name is used as part of the MS-CHAPv2 calculations, so changing it will make the authentication fail. > I then found another reference to strip the domain from the LDAP > module as shown below: > filter = "(cn=%{mschap:User-Name:-%{User-Name}} This is wrong. You're not closing the opening bracket: filter = "(cn=%{mschap:User-Name:-%{User-Name}})" > and it seems to pass the correct username to > the LDAP server it looks like there is some other place I need to strip > the domain besides the ldap lookup, that or the replies are using the > stripped name and it is failing that way as well. Either way it still > is not working. If I un-comment the stripped-user-name and use a > supplicant that strips the domain prior to sending it, it does work so > Radius is working, just now with standard windows supplicant on XP. If you're using EAP, you *really* don't want to strip the User-Name. It will make EAP fail. > An yes I am pretty new to freeradius. What you want is to change the *ldap* lookup so that it uses only the name portion of the User-Name. *Don't* edit the User-Name. And move the LDAP lookup to the "inner-tunnel" configuration. That's what it's for. Don't do LDAP lookups in raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<<attachment: Brett_Littrell.vcf>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
