On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it is possible to send a different Username in
EAP-Identity and MSChap Username in the same EAP session since the
second is derived from the first. I have seen such setup where you have
two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants.
Is there a way we could work around this hard-coded check since in our
case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and
comment it out.
What I really want to understand is, whether the check is too strict and
FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will
try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username:
ok
elif not mschap.domain:
if eap.stripped-user-name == mschap.username:
ok
reject
else:
reject
I will try to investigate this tomorrow when I get back to the office.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
