[RADIATOR] Best way to strip leading DOMAIN\ with PEAP

Tuure Vartiainen vartiait at open.com.au
Wed Jun 24 04:20:37 CDT 2015


Hi,

> On 24 Jun 2015, at 10:52, Christian Kratzer <ck at cksoft.de> wrote:
> 
> On Wed, 24 Jun 2015, Tuure Vartiainen wrote:
>> 
>>> On 24 Jun 2015, at 10:00, Christian Kratzer <ck-lists at cksoft.de> wrote:
>>> 
>>> I have a couple of windows users that send a DOMAIN\ prefix to their username.
>>> 
>>> What would be the best way to strip these things when using PEAP with AuthBy SQL.
>>> 
>>> We are currently passing %X (eap identity) as the username with PEAP and %w (orig username) in the TTLS case.
>>> 
>> 
>> by using RewriteUsername I would say. E.g.
>> 
>> RewriteUsername s/^([^\\]*)\\(.*)/$2/
> 
> and this would not interfere with EAP handling in PEAP or TTLS ?
> 

no, domain name can be stripped off when using EAP-MSCHAPv2/MSCHAPv2

Quote from RFC2759, section "4. Response Packet”:

"When computing
the NT-Response field contents, only the user name is used, without
any associated Windows NT domain name.  This is true regardless of
whether a Windows NT domain name is present in the Name field"

Radiator also strips off the domain name when checking MSCHAPv2 NT-Response.


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.



More information about the radiator mailing list