[Help-gnu-radius] stripping domain name through hints file - need assistance

[lelik67]

I am using Radius + ldap to authenticate wireless windows users against
windows nt like domain (samba).
 
If windows clients use 3rd party supplicant like SecureW2 with EAP TTLS PAP,
it can successfully authenticate themselves. However they have configure
SecureW2 to not send the domain name, only user name + password.

But it they try to use built-in Microsoft EAP PEAP mSCHAP v2, it fails. Note
that it uses windows credentials which means it sends user+password+domain.

I need to construct a proper hint in the hints file to strip domain name.
Any help will be appreciated.

Example of successful EAP TTLS PAP:

[ldap] performing user authorization for john
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=john)
        expand: dc=smith,dc=local -> dc=smith,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=smith,dc=local, with filter (uid=john)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password == 0x444334xxx
rlm_ldap: sambaLmPassword -> LM-Password == 0x383631xxx
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user john authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "john" with password "xxxx"
[ldap] user DN: uid=john,ou=Users,dc=smith,dc=local
rlm_ldap: (re)connect to ldap://127.0.0.1:389/, authentication 1
rlm_ldap: bind as uid=john,ou=Users,dc=smith,dc=local/xxx to
ldap://127.0.0.1:389/
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user john authenticated succesfully

Example of rejected EAP PEAP mSCHAP v2:

[ldap] performing user authorization for SMITH\john
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->
(uid=SMITH\5cjohn)
        expand: dc=smith,dc=local -> dc=smith,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=smith,dc=local, with filter
(uid=SMITH\5cjohn)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap]   NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for SMITH\john with NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.


-- 
View this message in context: 
http://old.nabble.com/stripping-domain-name-through-hints-file---need-assistance-tp28806276p28806276.html
Sent from the Gnu - Radius - General mailing list archive at Nabble.com.