Hi,
On 11-05-30 9:55 AM, Phil Mayers wrote:
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it is possible to send a different Username
in EAP-Identity and MSChap Username in the same EAP session since the
second is derived from the first. I have seen such setup where you
have two domain, RADIUS would use the Realm to differentiates the two.
For a legit client, yes. A malicious client can send anything it wants.
I completely agree with you on this.
Is there a way we could work around this hard-coded check since in
our case, we only have "one john"?
Sure; the check is just one line; grep the source code for it and
comment it out.
What I really want to understand is, whether the check is too strict
and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I
will try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username:
ok
elif not mschap.domain:
if eap.stripped-user-name == mschap.username:
ok
reject
else:
reject
I will try to investigate this tomorrow when I get back to the office.
Aight. Keep us posted.
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
