freeradius 3.x - proxy realm - problem to strip username

ERIC TANGUY eric.tanguy at arkea.com
Tue Aug 25 09:09:11 CEST 2015 

Hello 
I use freeradius 3.0.9 , PAM module and RSA server (strong authenticator server) 
I have a user with a realm (user_realm), with the proxy function and the PAM module on my radius server, I want to forward the request on my RSA server. 

I have a problem because the incoming user on my RSA server is user_realm and not user only 

As belong my config 

- radiusd.conf 
original config with adding 
proxy_requests = yes 
$INCLUDE proxy.conf 

- proxy.conf 
original config with adding 
realm rsa { 
authhost = LOCAL 
accthost = LOCAL 
} 

- sites-enabled/default 
original config with adding 
authorize { 
.... 
underscore 
arobase 
.... 
} 
authenticate { 
.... 
Auth-Type PAMRSA { 
pam-rsa 
} 
... 
} 
preacct { 
.... 
underscore 
arobase 
.. 
} 

- mods-enabled/pam 
pam pam-rsa{ 
pam_auth = rsasecurid 
} 

- mods-enabled/realm 
realm underscore { 
format = suffix 
delimiter = "_" 
} 

realm arobase { 
format = suffix 
delimiter = "@" 
} 


My error radius.log 

(0) Received Access-Request Id 124 from h.j.k.l:35867 to v.w.x.y :1812 length 115 
(0) User-Name = " user_rsa " 
(0) User-Password = "xxxxx" 
(0) NAS-Port = 1 
(0) NAS-Port-Id = "tty1" 
(0) NAS-Port-Type = Virtual 
(0) Calling-Station-Id = "a.b.c.d" 
(0) NAS-IP-Address = e.f.g.h 
(0) Event-Timestamp = "Aug 20 2015 17:34:04 CEST" 
(0) Message-Authenticator = 0xc1a0732bc8b62562111e7479ca859ee0 
(0) Proxy-State = 0x313339 
(0) # Executing section authorize from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default 
(0) authorize { 
(0) policy filter_username { 
(0) if (!&User-Name) { 
(0) if (!&User-Name) -> FALSE 
(0) if (&User-Name =~ / /) { 
(0) if (&User-Name =~ / /) -> FALSE 
(0) if (&User-Name =~ /@.*@/ ) { 
(0) if (&User-Name =~ /@.*@/ ) -> FALSE 
(0) if (&User-Name =~ /\.\./ ) { 
(0) if (&User-Name =~ /\.\./ ) -> FALSE 
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { 
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE 
(0) if (&User-Name =~ /\.$/) { 
(0) if (&User-Name =~ /\.$/) -> FALSE 
(0) if (&User-Name =~ /@\./) { 
(0) if (&User-Name =~ /@\./) -> FALSE 
(0) } # policy filter_username = notfound 
(0) [preprocess] = ok 
(0) [chap] = noop 
(0) [mschap] = noop 
(0) [digest] = noop 
(0) suffix: Checking for suffix after "@" 
(0) suffix: No '@' in User-Name = " user_rsa ", looking up realm NULL 
(0) suffix: No such realm "NULL" 
(0) [suffix] = noop 
(0) eap: No EAP-Message, not doing EAP 
(0) [eap] = noop 
(0) [files] = noop 
(0) sql1: EXPAND %{User-Name} 
(0) sql1: --> user_rsa 
(0) sql1: SQL-User-Name set to 'a0327_rsa' 
rlm_sql (sql1): Reserved connection (1) 
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id 
(0) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id 
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = ' user_rsa ' ORDER BY id 
(0) sql1: User found in radcheck table 
(0) sql1: Conditional check items matched, merging assignment check items 
(0) sql1: Expiration := "Dec 30 2035 00:00:00 CET" 
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id 
(0) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id 
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = ' user_rsa ' ORDER BY id 
(0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority 
(0) sql1: --> SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority 
(0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = ' user_rsa ' ORDER BY priority 
(0) sql1: User found in the group table 
(0) sql1: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id 
(0) sql1: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id 
(0) sql1: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Rebontux_RSA' ORDER BY id 
(0) sql1: Group "Rebontux_RSA": Conditional check items matched 
(0) sql1: Group "Rebontux_RSA": Merging assignment check items 
(0) sql1: Auth-Type := PAMRSA 
(0) sql1: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{sql1-SQL-Group}' ORDER BY id 
(0) sql1: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id 
(0) sql1: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Rebontux_RSA' ORDER BY id 
(0) sql1: Group "Rebontux_RSA": Merging reply items 
(0) sql1: Service-Type = Authenticate-Only 
rlm_sql (sql1): Released connection (1) 
rlm_sql (sql1): 0 of 6 connections in use. Need more spares 
rlm_sql (sql1): Opening additional connection (6), 1 of 26 pending slots used 
rlm_sql_mysql: Starting connect to MySQL server 
rlm_sql_mysql: Connected to database 'radius' on radiustux1-a.l.infra via TCP/IP, server version 5.6.24-enterprise-commercial-advanced-log, protocol version 10 
(0) [sql1] = ok 
(0) expiration: Account will expire at 'Dec 30 2035 00:00:00 CET' 
(0) [expiration] = ok 
(0) [logintime] = noop 
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type 
(0) pap: WARNING: Authentication will fail unless a "known good" password is available 
(0) [pap] = noop 
(0) } # authorize = ok 
(0) Found Auth-Type = PAMRSA 
(0) # Executing group from file /opt/freeradius-3.0.9/etc/raddb/sites-enabled/default 
(0) Auth-Type PAMRSA { 
(0) pam-rsa: Using pamauth string "rsasecurid" for pam.conf lookup 
(0) pam-rsa: ERROR: pam_authenticate failed: Authentication failure 
(0) [pam-rsa] = reject 
(0) } # Auth-Type PAMRSA = reject 
(0) Failed to authenticate the user 
(0) Login incorrect (pam-rsa: pam_authenticate failed: Authentication failure): [ user_rsa ] 
(0) Using Post-Auth-Type Reject 



My error rsa.log 
unknow user ' user_rsa ' 





- -- 
Eric TANGUY 
Réseaux et Infrastructures 
Informatique DTI 

1, rue Louis Lichou 
29480 Le Relecq-Kerhuon 
www.arkea.com 
T. +33(0)298003671 


--
Ce message et  toutes les pieces jointes (ci-apres  le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute  utilisation ou  diffusion  non autorisee  est interdite.   Tout
message  etant  susceptible  d'alteration,  l'emetteur  decline  toute
responsabilite au titre de  ce message  s'il a  ete altere, deforme ou
falsifie.
                -----------------------------------
This message and any  attachments (the "message") are confidential and
intended  solely   for  the   addressees.  Any  unauthorised   use  or
dissemination is prohibited. As e-mails are susceptible to alteration,
the issuer shall  not be  liable for  the  message if altered, changed
or falsified.

More information about the Freeradius-Users mailing list