[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Error: User-Name is not the same as MS-CHAP name
From:       Francois Gaudreault <fgaudreault () inverse ! ca>
Date:       2011-05-30 14:48:55
Message-ID: 4DE3AE57.1030404 () inverse ! ca
[Download RAW message or body]

Hi,

On 11-05-30 9:55 AM, Phil Mayers wrote:
> On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
>>>
>>> There's no guarantee that STAFF\john and STUDENT\john at the same 
>>> person; you can't just ignore the fact that the client has changed 
>>> their username.
>>>
>> True.  But I don't think it is possible to send a different Username 
>> in EAP-Identity and MSChap Username in the same EAP session since the 
>> second is derived from the first.  I have seen such setup where you 
>> have two domain, RADIUS would use the Realm to differentiates the two.
>
> For a legit client, yes. A malicious client can send anything it wants.
I completely agree with you on this.

>
>>
>> Is there a way we could work around this hard-coded check since in 
>> our case, we only have "one john"?
>
> Sure; the check is just one line; grep the source code for it and 
> comment it out.
>
> What I really want to understand is, whether the check is too strict 
> and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I 
> will try to check this tomorrow.
>
> e.g. maybe the check should be:
>
> if eap.username == mschap.username:
>  ok
> elif not mschap.domain:
>  if eap.stripped-user-name == mschap.username:
>    ok
>  reject
> else:
>  reject
>
> I will try to investigate this tomorrow when I get back to the office.
Aight.  Keep us posted.


-- 
Francois Gaudreault, ing. jr
fgaudreault@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]