On Tue, 2013-03-26 at 15:35 +0000, Phil Mayers wrote:
> On 26/03/2013 15:12, John Horne wrote:
> >> What is the upstream proxy?
> >>
> > Microsoft domain controller (DC).
>
> As in, Microsoft NPS running on a DC?
>
As far as I know, yes. I don't deal with the Microsoft side of this.
>
> Just to check I understand you - you currently have an NPS instance that
> will successfully authenticate:
>
> jbloggs
> j.bloggs@domain
>
> ...but fails on:
>
> jbloggs@domain
>
> Correct?
>
No. At present it will authenticate 'jbloggs' and 'jbloggs@domain'. We
want to have it authenticate 'jbloggs' and 'j.bloggs@domain', but
because 'jbloggs@domain' currently works, we need to cater for it but
have to do this by stripping the realm (so it becomes just 'jbloggs').
Don't ask me 'why', I gather that the DC can recognise a userid (such as
'jbloggs') and the UPN ('j.bloggs@domain'), but it cannot recognise
three formats. So we need to change 'jbloggs@domain' to just 'jbloggs'.
Trying to change 'jbloggs@domain' to 'j.bloggs@domain' may be possible,
but we would have to start doing LDAP lookups to dig out the info.
Secondly, of course, is that we would be changing the 'User-Name' sent
to the DC, so I assume EAP would break again.
> > However, we have to cater for a mixed format of
> > '[email protected]', which is currently used by some users and
> > working. To do this we need to strip off the realm so that the DC will
> > recognise just the userid part ('jbloggs').
>
> But as you say, this ought to cause EAP failures, so it's useless?
>
If I can't get 'jbloggs@domain' stripped of the domain, then yes it
could all be useless.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
