Hi,
I'm currently trying to configure my Win7 clients to do wired 802.1X
authentication using the credentials a user provides at the login screen. Wired
802.1X auth itself works fine but as soon as I have it use the logon
credentials (using the "Automatically use my Windows logon name and password
(and domain if any).") Windows sends User-Names like 'computername\\username'.
That's normal so far I think.
To get the rlm_ldap related stuff working I simply changed my filter and
groupmembership_filter settings in modules/ldap to be
"[...]uid=%{mschap:User-Name:-%{User-Name}}[...]" instead of
"[...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...]" and that works well.
But when it comes to MSCHAP authentication I've got a problem:
I get errors like
"[mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1)
from EAP-MSCHAPv2"
(...which sounds consequent) I've tried solve that problem by changing
"with_ntdomain_hack = yes" (I know you recommend against that) without any luck:
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel)
Somewhere I've read that in such a case one should use the realms concept but I
can't seem to get it working. There's an entry like
realm ntdomain {
format = prefix
delimiter = "\\"
}
in the modules/realm but what else do I need?
Thanks!fr
Best regards
Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
