Wildcard in realm name? possible??

Difan Zhao difan.zhao at guest-tek.com
Thu Sep 9 07:06:19 CEST 2010 

Dear developers/experts,

 

I haven't bugged you guys for too long so I decided to come back with a
strange question so you know that I'm still your loyal user.

 

I need to proxy requests with the following username pattern to a remote
server.

host/<PC name>.gtcorp.com

 

This is what the username looks like when the Windows PC is doing PEAP
with use of the PC's name instead of the actual user's username. Don't
know why but seems to be strange!

 

So I guess my first question is that, is it possible to have wildcard
(e.g. "*") in the realm name?

 

I did read all the docs I could possibly found and I tested the configs
as well but I couldn't get it to work... Here is the debug while I'm
doing testing with radtest program. As you see that it always matches
the "DEFAULT" realm but not the *.gtcorp.com that I defined... I'm using
2.1.6 on RHEL4. So! Help help!

 

 

[root at NE_OVI ~]# radtest 'host/difan.gtcorp.com' xxxx localhost 0
test123

Sending Access-Request of id 163 to 127.0.0.1 port 1812

        User-Name = "host/difan.gtcorp.com"

        User-Password = "xxxx"

        NAS-IP-Address = 66.150.161.140

        NAS-Port = 0

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=163,
length=20

 

------------------------------------------------------------------------
------------

 

rad_recv: Access-Request packet from host 127.0.0.1 port 15676, id=163,
length=73

        User-Name = "host/difan.gtcorp.com"

        User-Password = "xxxx"

        NAS-IP-Address = 66.150.161.140

        NAS-Port = 0

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[GTCORP] Looking up realm "difan.gtcorp.com" for User-Name =
"host/difan.gtcorp.com"

[GTCORP] Found realm "DEFAULT"

[GTCORP] Adding Realm = "DEFAULT"

[GTCORP] Proxying request from user host to realm DEFAULT

[GTCORP] Preparing to proxy authentication request to realm "DEFAULT"

++[GTCORP] returns updated

[suffix] Request already proxied.  Ignoring.

++[suffix] returns ok

...

 

The followings are my relevant configs:

 

==================================================================

/etc/raddb/proxy.conf (I did try many other realm names such as
*.gtcorp.com as well)

==================================================================

proxy server {

        default_fallback = no

}

 

###############################

 

home_server GTK_Radius_Auth {

        type = auth

        ipaddr = 1.1.1.1

        port = 1812

        secret = xxxx

}

home_server GTK_Radius_Acct {

        type = acct

        ipaddr = 1.1.1.1

        port = 1813

        secret = xxxx

}

 

####################################################

 

home_server_pool GTK_Radius_Auth_Pool {

        type = fail-over

        home_server = GTK_Radius_Auth

}

home_server_pool GTK_Radius_Acct_Pool {

        type = fail-over

        home_server = GTK_Radius_Acct

}

 

####################################################

 

realm ~"*.gtcorp.com" {

        nostrip

        auth_pool = GTK_Radius_Auth_Pool

        acct_pool = GTK_Radius_Acct_Pool

}

 

#

#  This realm is for requests which don't have an explicit realm

#  prefix or suffix.  User names like "bob" will match this one.

#

realm NULL {

        nostrip

        auth_pool = GTK_Radius_Auth_Pool

        acct_pool = GTK_Radius_Acct_Pool

}

 

#

#  This realm is for ALL OTHER requests.

#

realm DEFAULT {

        nostrip

        auth_pool = GTK_Radius_Auth_Pool

        acct_pool = GTK_Radius_Acct_Pool

}

 

===========================================================

/etc/raddb/modules/realm

===========================================================

 

realm GTCORP {

        format = suffix

        delimiter = "/"

}

 

==========================================================

/etc/raddb/sites-available/default

==========================================================

...

authorize {

preprocess

chap

mschap

GTCORP

Suffix

...

}

 

Thanks!!

 

Difan Zhao, M.Eng
Network Engineer
Guest-Tek Interactive Entertainment Inc. 

Email: difan.zhao at guest-tek.com <mailto:difan.zhao at guest-tek.com> 
Office: +1 (403) 509 1010 ext 3048
Cell: +1 (403) 689 7514

www.guest-tek.com <http://www.guest-tek.com> 

 
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg<ht
tp://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/Logo.jpg> 

INTERNET  |  MEDIA  |  VOICE

 
http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.jp
g<http://www.guest-tek.com/images/Guest-Tek%20-%20Formal_files/image004.
jpg> 

The contents of this email are confidential and intended for the
recipient only. If you have received this email in error, please notify
us, and destroy all copies.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100908/9c41a8a1/attachment.html>

More information about the Freeradius-Users mailing list