Realm Strip

Alan DeKok aland at deployingradius.com
Wed Sep 9 16:01:59 CEST 2015


On Sep 9, 2015, at 9:48 AM, Dennis Xu <dxu at uoguelph.ca> wrote:

> This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2.

  It will not work.

> It did not work.

  See?

> ACS5 still sees the whole username(i.e, dxu at uoguelph.ca) with the suffix.
> 
> I added the following to the proxy.conf file:
> realm uoguelph.ca {
>        type = radius
>        authhost = acs5-test2.uoguelph.ca:1812
>        accthost = acs5-test2.uoguelph.ca:1813
>        secret = testing123
> }

  You didn't tell it to strip the User-Name.

  Even if you had done that, you probably would discover that there are other issues preventing it from working.  Playing games with EAP identifiers is a losing proposition.

> Did I miss anything?

  Debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?

> Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?

  If you tell it to.

  And doing so will break EAP.

  So... WHY do you need to do this?  Why not just use FreeRADIUS and Samba to talk to Active Directory?

  Or, configure ACS so that it does it's job correctly.  It should be able to strip the realms itself.  If it can't, throw it in the garbage and use FreeRADIUS.

  Alan DeKok.




More information about the Freeradius-Users mailing list