On 26/03/2013 15:12, John Horne wrote:
What is the upstream proxy?
Microsoft domain controller (DC).
As in, Microsoft NPS running on a DC?
Can you explain why you want to do this? Obviously it's possible to
manipulate the packet in many ways, but your goal may be best
accomplished via a different route.
-
The DC will recognise a users userid (e.g. 'jbloggs') provided it has no
realm. It will also recognise (what I think is the UPN?) which is of the
form '[email protected]'.
Well, this depends on how you have your AD setup.
Basically, this whole area is a nest of vipers. It's a complete pain
because windows is inconsistent about when you have to use a
samAccountName, when you may use a userPrincipalName, and it's
complicated even further by the fact that mschap mixes the username (but
not any domain prefix/suffix) into the challenge/response crypto, so the
server has to know which "username" you used.
Just to check I understand you - you currently have an NPS instance that
will successfully authenticate:
jbloggs
j.bloggs@domain
...but fails on:
jbloggs@domain
Correct?
However, we have to cater for a mixed format of
'[email protected]', which is currently used by some users and
working. To do this we need to strip off the realm so that the DC will
recognise just the userid part ('jbloggs').
But as you say, this ought to cause EAP failures, so it's useless?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
