Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
Ivan Kalik
tnt at kalik.net
Tue Aug 12 19:13:45 CEST 2008
You need to add User-Name := Stripped-User-Name to your users file entry
in order to replace it with stripped value.
Ivan Kalik
Kalik Informatika ISP
Dana 12/8/2008, "Steve Weaver" <sweaver at inetnebr.com> piše:
>I'm having a strange problem I hope you can help me figure out. We're
>finally moving from an ancient Livingston RADIUS to FreeRADIUS.
>
>I compiled and installed version 2.0.5 on a freshly installed CentOS 5
>box, read all the documentation I could find, installed our old users
>file and adapted it until it now (mostly) works correctly.
>
>System info:
>
># radiusd -v
>radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
>built on Aug 5 2008 at 15:40:15
>
># uname -a
>Linux ****.*******.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
>2008 i686 i686 i386 GNU/Linux
>
>The problem I'm having is that we have a lot of legacy users still
>logging in with "Pusername" for PPP connections. I've tried to set it
>up in both the users file and the hints file (separately) and get the
>same result. No matter what I do, it tries to authenticate (System
>auth type) the username "Pusername" instead of "username".
>
>If I add a user named "Pusername" everything works correctly. It hits
>the right default entry and authenticates fine, so it's just not
>stripping off the "P" when authenticating. I have also tried suffixes
>(".ppp") to test if it was just the prefix that wasn't working. Same
>problem.
>
>We're not using any realms, proxying, LDAP, SQL, etc at this time.
>Just a very simple single RADIUS server reading from a users file and
>authenticating against the system password file.
>
>I first tried to set it up in the users file. I commented out
>everything in the hints file. Here's what the DEFAULT entry looks like
>in the users file:
>
>DEFAULT Auth-Type := System, Prefix == "P"
> User-Service-Type = Framed-User,
> Session-Timeout = 36000,
> Idle-Timeout = 600,
> Port-Limit = 1,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP
>
>I attempt to authenticate:
>
># radtest Psweaver ******** localhost 0 testing123
>Sending Access-Request of id 43 to 127.0.0.1 port 1645
> User-Name = "Psweaver"
> User-Password = "********"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
>rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
>length=20
>
>Things are working otherwise; without the "P" it works fine:
>
># radtest sweaver ******** localhost 0 testing123
>Sending Access-Request of id 223 to 127.0.0.1 port 1645
> User-Name = "sweaver"
> User-Password = "********"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
>rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
>length=56
> Session-Timeout = 36000
> Idle-Timeout = 600
> Port-Limit = 1
> Service-Type = Login-User
> Login-IP-Host = ***.***.***.***
> Login-Service = Rlogin
>
>With the "P", here's the output of radiusd -X
>
>rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
>length=6
>0
> User-Name = "Psweaver"
> User-Password = "********"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
>+- entering group authorize
>++[preprocess] returns ok
> expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
>rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> expand: %t -> Tue Aug 12 10:10:44 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
> rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
> rlm_realm: No such realm "NULL"
>++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop
>++[unix] returns notfound
> users: Matched entry DEFAULT at line 3526
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
> rad_check_password: Found Auth-Type System
>auth: type "System"
>+- entering group authenticate
>++[unix] returns notfound
>auth: Failed to validate the user.
> Found Post-Auth-Type Reject
>+- entering group REJECT
> expand: %{User-Name} -> Psweaver
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Sending Access-Reject of id 175 to 127.0.0.1 port 35915
>Finished request 2.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 2 ID 175 with timestamp +1013
>Ready to process requests.
>
>Note that it's matching line 3526, which is indeed the DEFAULT entry I
>listed above.
>
>If I move prefix information to the hints file, I end up with this
>in the hints file:
>
>DEFAULT Prefix == "P", Strip-User-Name = Yes
> Hint = "PPP"
>
>and this in the users file:
>
>DEFAULT Auth-Type := System, Hint == "PPP"
> User-Service-Type = Framed-User,
> Session-Timeout = 36000,
> Idle-Timeout = 600,
> Port-Limit = 1,
> Framed-Protocol = PPP,
> Framed-Address = 255.255.255.254,
> Framed-Netmask = 255.255.255.255,
> Framed-Routing = None,
> Framed-MTU = 1500,
> Framed-Compression = Van-Jacobsen-TCP-IP
>
>Test fails:
>
># radtest Psweaver ******** localhost 0 testing123
>Sending Access-Request of id 161 to 127.0.0.1 port 1645
> User-Name = "Psweaver"
> User-Password = "********"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
>rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=161,
>length=20
>
>radiusd -X output:
>
>rad_recv: Access-Request packet from host 127.0.0.1 port 35924, id=161,
>length=60
> User-Name = "Psweaver"
> User-Password = "********"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
>+- entering group authorize
> hints: Matched DEFAULT at 65
>++[preprocess] returns ok
> expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
>rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
>expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> expand: %t -> Tue Aug 12 10:44:04 2008
>++[auth_log] returns ok
>++[chap] returns noop
>++[mschap] returns noop
> rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
> rlm_realm: No such realm "NULL"
>++[suffix] returns noop
> rlm_eap: No EAP-Message, not doing EAP
>++[eap] returns noop
>++[unix] returns notfound
> users: Matched entry DEFAULT at line 3526
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>rlm_pap: WARNING! No "known good" password found for the user.
>Authentication may fail because of this.
>++[pap] returns noop
> rad_check_password: Found Auth-Type System
>auth: type "System"
>+- entering group authenticate
>++[unix] returns notfound
>auth: Failed to validate the user.
> Found Post-Auth-Type Reject
>+- entering group REJECT
> expand: %{User-Name} -> Psweaver
> attr_filter: Matched entry DEFAULT at line 11
>++[attr_filter.access_reject] returns updated
>Sending Access-Reject of id 161 to 127.0.0.1 port 35924
>Finished request 0.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 0 ID 161 with timestamp +4
>Ready to process requests.
>
>It hits line 65 in the hints file (my "P" entry), and line 3526 in the
>users file (my "PPP" entry.) When using the hints file, it even logs
>this to the detail file showing that it's been stripped:
>
>Tue Aug 12 10:44:04 2008
> Packet-Type = Access-Request
> User-Name = "Psweaver"
> NAS-IP-Address = 127.0.0.1
> NAS-Port = 0
> Stripped-User-Name = "sweaver"
> Hint = "PPP"
>
>Either way, everything works if I add a Psweaver entry to the password
>file, and not if I don't.
>
>I'm out of ideas. Anyone have any I can borrow? :)
>
>TIA,
>SW
>--
>Steven Weaver sweaver at inebraska.com
>IT Director (402) 434-8680 x101
>Internet Nebraska http://www.inebraska.com/
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list