Hi, > On 24 Jun 2015, at 10:52, Christian Kratzer <[email protected]> wrote: > > On Wed, 24 Jun 2015, Tuure Vartiainen wrote: >> >>> On 24 Jun 2015, at 10:00, Christian Kratzer <[email protected]> wrote: >>> >>> I have a couple of windows users that send a DOMAIN\ prefix to their >>> username. >>> >>> What would be the best way to strip these things when using PEAP with >>> AuthBy SQL. >>> >>> We are currently passing %X (eap identity) as the username with PEAP and %w >>> (orig username) in the TTLS case. >>> >> >> by using RewriteUsername I would say. E.g. >> >> RewriteUsername s/^([^\\]*)\\(.*)/$2/ > > and this would not interfere with EAP handling in PEAP or TTLS ? >
no, domain name can be stripped off when using EAP-MSCHAPv2/MSCHAPv2 Quote from RFC2759, section "4. Response Packet”: "When computing the NT-Response field contents, only the user name is used, without any associated Windows NT domain name. This is true regardless of whether a Windows NT domain name is present in the Name field" Radiator also strips off the domain name when checking MSCHAPv2 NT-Response. BR -- Tuure Vartiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
