Authorize section not getting called
Michael Sartain
mikesart at fastmail.com
Fri Feb 2 16:37:15 CET 2018
On Thu, Feb 1, 2018, at 10:27 PM, Michael Sartain wrote:
> On Thu, Feb 1, 2018, Nathan Ward wrote:
> > Usual expectation is that you show a radius debug with the packets being
> > processed.
> > The one you have pasted only shows the process starting up and config
> > being parsed and such. You’ve sort of included some of that debug under
> > (A) and (B) sections so you’ve definitely got it, but for some reason
> > you haven’t posted it. If you could post the whole thing, people can
> > likely help you more.
>
> Apologies, entire "radiusd -X" output from radclient executions are below.
>
> I get what's going on with everything except the part that I marked:
>
> ## Mike: where could this Login incorrect be coming from?
>
> From what I can tell, group authorize was never called, so who/what/where is
> nacking this username?
Ok, figured it out. Synology has customized their version of radius.
https://sourceforge.net/projects/dsgpl/files/Packages/DSM%205.2%20Package%20Release/
rad_authenticate() in src/main/auth.c has an added call to CheckAuth(), which
winds up doing this:
// local only, ad only, ldap only, "ad + local" ad part
if (0 > SYNOUserGet(szFullNameUser, ppUser)) {
radlog(L_ERR, "Login incorrect: Incorrect user name (input name [%s], full name [%s])", szUserName, szFullNameUser);
goto End;
}
I'm no expert on freeradius, but I'm pretty sure this could have been handled
in a more standardized / transparent way. Oh, well.
-Mike
More information about the Freeradius-Users
mailing list