cancel
Showing results for 
Search instead for 
Did you mean: 

ms chap v2 and captive portal and realm stripping

ms chap v2 and captive portal and realm stripping

npsisalright
New Contributor II
So i have an interesting problem here. I have a captive portal page that authenticates against radius servers. The radius servers are microsoft NPS.

On this captive portal, users can use username, and get a ppsk code. They cannot use username@domain, the authentication fails.

However, other networks with WPA enterprise (802.1x, username and password), they can authenticate with either an email address or their username.

I narrowed the problem down to the difference between EAP authentication (on the 802.1x enterprise) VS mschap v2, which the captive portal uses. For some reason, ms chap v2 does not authenticate when the domain portion is used.

I tried to use realm stripping to get around this, but for some reason it isnt working either.

My question is 1.) does anyone do this, and did you get emails to work with NPS server. How did you do it? and 2.) is ms chapv2 really the highest authentication method that can be used for captive portal? can you not enable EAP authentication as well?

any other way i can configure so that people can log in with their SPN or full email address.

1 REPLY 1

npsisalright
New Contributor II
Another solid option would be simply adjusting the index.html page and using the existing sanitization code, augmenting with something from this article:

https://stackoverflow.com/questions/7266608/how-can-i-extract-the-user-name-from-an-email-address-us...

However i am not a programmer and dont know how to edit the javascript on that page in this way, to strip the domains. EG:
str.substring(0,str.indexOf("@"))​


Last option would be editing the page and just putting up a note that people should not use full email addresses. A note they wont read and still generate support calls (sigh).
GTM-P2G8KFN