Add $ to end of machine account uid

Cody Jarrett cody.jarrett at itfreedom.com
Fri Jul 6 22:15:03 CEST 2007 

Ok, did that, and the connection gets farther now. I don't quite 
understand how to get the other modules to use the stripped-user-name now.

rlm_attr_rewrite: Added attribute Stripped-User-Name with value 
'host/itf-toshiba-asd'
  modcall[authorize]: module "copy.user-name" returns ok for request 6
radius_xlat:  '^host/(.*)'
radius_xlat:  'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
  modcall[authorize]: module "add-dollar-sign" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '\' in User-Name = "host/itf-toshiba-asd", looking up 
realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "DOMAIN" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 102
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=domain,dc=com'
radius_xlat:  '(uid=itf-toshiba-asd$)'
_____________
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message = 
a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364
  PEAP: Setting User-Name to host/itf-toshiba-asd

        attr_rewrite copy.user-name {
                attribute = Stripped-User-Name
                new_attribute = yes
                searchfor = ""
                searchin = packet
                replacewith = "%{User-Name}"
}
        attr_rewrite add-dollar-sign {
                attribute = Stripped-User-Name
                searchfor = "^host/(.*)"
                searchin = packet
                new_attribute = no
                replacewith = "%{1}$"
        }


authorize {
        copy.user-name
        add-dollar-sign
        chap
        preprocess
        mschap
        DOMAIN
        eap
        files
        ldap
}


A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>   
>> I've about got it, but now I am getting an eap error about the username 
>> isn't correct.
>>
>> I added this about preprocess:
>> attr_rewrite add-dollar-sign {
>>                attribute = User-Name
>>                searchfor = "^host/(.*)"
>>                searchin = packet
>>                new_attribute = no
>>                replacewith = "%{1}$"
>>        }
>>     
>
> you cannot play with User-Name - that is returned in the EAP
> conversation and if it has changed then the auth wont work.
> copy the value to eg Stripped-User-Name and then use that variable
> to do the auth with (as per that example page)
>
> alan
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070706/3504ee17/attachment.html>

More information about the Freeradius-Users mailing list