On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one
problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2". Users log on locally, the host name is not a domain name.
Windows 7 clients work fine because they send only the username. I do
some rewrites so I can get the username for the LDAP authentication and
the computers name for computer account authentication (I'm not familiar
with unlang yet). We use FR 2.1.10.
Any idea how to fix this ?
You CANNOT rewrite the User-Name attribute, or you will have this problem.
If you want to manipulate the username, you must do so in a separate
attribute, like so:
if (User-Name =~ /^(.+)\\(.+)/) {
update request {
Stripped-User-Name := "%{2}"
}
}
An easier alternative is to not mangle the username at all, and instead
update any string expansions to use:
%{mschap:User-Name}
...including your LDAP filters. This will "just work"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
