[RADIATOR] Best way to strip leading DOMAIN\ with PEAP

Tuure Vartiainen vartiait at open.com.au
Wed Jun 24 04:20:37 CDT 2015


> On 24 Jun 2015, at 10:52, Christian Kratzer <ck at cksoft.de> wrote:
> On Wed, 24 Jun 2015, Tuure Vartiainen wrote:
>>> On 24 Jun 2015, at 10:00, Christian Kratzer <ck-lists at cksoft.de> wrote:
>>> I have a couple of windows users that send a DOMAIN\ prefix to their username.
>>> What would be the best way to strip these things when using PEAP with AuthBy SQL.
>>> We are currently passing %X (eap identity) as the username with PEAP and %w (orig username) in the TTLS case.
>> by using RewriteUsername I would say. E.g.
>> RewriteUsername s/^([^\\]*)\\(.*)/$2/
> and this would not interfere with EAP handling in PEAP or TTLS ?

no, domain name can be stripped off when using EAP-MSCHAPv2/MSCHAPv2

Quote from RFC2759, section "4. Response Packet”:

"When computing
the NT-Response field contents, only the user name is used, without
any associated Windows NT domain name.  This is true regardless of
whether a Windows NT domain name is present in the Name field"

Radiator also strips off the domain name when checking MSCHAPv2 NT-Response.

Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list