Re: Removing domain prefix from login

Thu, 10 Nov 2011 04:48:28 -0800 

On 10/11/11 08:15, Alejandro Gandara wrote:

Hi Alan,

Thanks for your answers and excuse me for my english fill of mistakes.

2011/11/10 Alan DeKok <[email protected]
<mailto:[email protected]>>

    Alejandro Gandara wrote:
     > I'm authenticating users in RADIUS against LDAP, if I login from
     > computer with 802.1x configured and users and password taken from
    domain
     > automatic. Im getting wrong authenticated because the login has the
     > following chain.
     >
     > DOMAIN\\Users
     >
     > How can i avoid that radius read the prefix?

    You should be able to authenticate using just the user name, using
    ntlm_auth. See the examples in raddb/modules/ntlm_auth


Im reading about it. Thanks for this information.


     > I've tried to introduce the option prefix in
    /etc/sites-enable/default ,
     > but its getting me back errors because of wrong way to introduce
    that line.

    Yes. Don't define a realm. It won't work.

    Post the debug output. That helps, too.


This is my debug output:

rad_recv: Access-Request packet from host 172.20.40.28 port 1025,
id=112, length=218
Framed-MTU = 1480
NAS-IP-Address = 172.20.40.28
NAS-Identifier = "SW-INT-1-3"
User-Name = "PRIVATE\\usertest"


Have you edited this debug?


Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 32
NAS-Port-Type = Ethernet
NAS-Port-Id = "32"
Called-Station-Id = "f0-62-81-05-33-40"
Calling-Station-Id = "f0-4d-a2-bc-77-cd"
Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x020a0012014f50544152455c62726f75636f


This decodes as:

\x02\n\x00\x12\x01OPTARE\\brouco


Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*


This claims MSCHAP and Radius username don't match.

Did you edit the debug?

Don't do that.

Please provide a full debug, like so:

radiusd -X | tee log.txt
# run a test auth
# ctrl+c
# email log.txt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to