Re: Add $ to end of machine account uid

[Cody Jarrett <cody.jarrett@itfreedom.com>]

Ok, did that, and the connection gets farther now. I don't quite understand how to get the other modules to use the stripped-user-name now.

rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'host/itf-toshiba-asd'
  modcall[authorize]: module "copy.user-name" returns ok for request 6
radius_xlat:  '^host/(.*)'
radius_xlat:  'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
  modcall[authorize]: module "add-dollar-sign" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '\' in User-Name = "host/itf-toshiba-asd", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "DOMAIN" returns noop for request 6
  rlm_eap: EAP packet type response id 7 length 102
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=domain,dc=com'
radius_xlat:  '(uid=itf-toshiba-asd$)'
_____________
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message = a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364
  PEAP: Setting User-Name to host/itf-toshiba-asd

        attr_rewrite copy.user-name {
                attribute = Stripped-User-Name
                new_attribute = yes
                searchfor = ""
                searchin = packet
                replacewith = "%{User-Name}"
}
        attr_rewrite add-dollar-sign {
                attribute = Stripped-User-Name
                searchfor = "^host/(.*)"
                searchin = packet
                new_attribute = no
                replacewith = "%{1}$"
        }


authorize {
        copy.user-name
        add-dollar-sign
        chap
        preprocess
        mschap
        DOMAIN
        eap
        files
        ldap
}


A.L.M.Buxey@lboro.ac.uk wrote:

Hi,

  

I've about got it, but now I am getting an eap error about the username 
isn't correct.

I added this about preprocess:
attr_rewrite add-dollar-sign {
               attribute = User-Name
               searchfor = "^host/(.*)"
               searchin = packet
               new_attribute = no
               replacewith = "%{1}$"
       }
    

you cannot play with User-Name - that is returned in the EAP
conversation and if it has changed then the auth wont work.
copy the value to eg Stripped-User-Name and then use that variable
to do the auth with (as per that example page)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html