Strange behaviour (?) on Windows authentication

Arnaud Forster arnaud.forster at mwprog.ch
Thu May 17 08:23:21 CEST 2018 

Hello all,

I requested a few months ago some help about allowing some specific 
users being able to connect on specific wifi systems. A received some 
great help by adding a test to check if the user belongs to the specific 
group. This works like a charm for computers *not *belonging to the ldap 
domain.Today, I've another problem with that authentication for a 
computer belonging to the ldap domain. I made a log and there's 
something I don't understand.

the username is there and correc (MyUserName)  but suddenly, before 
checking if it belongs to the group 'Enseignants' here, the text '*5c5c' 
*is added to my username. It seems that this is the text 5c5cMyUserName 
that is checked instead of MyUserName.

Can someone understand that ? I've no idea from where comes this '5c5c' 
text and why this works for computers not belonging to the domain...

Really thanks for your help ;)

Arnaud


(1) Received Access-Request Id 193 from <a wifi system> length 219
(1)   User-Name = "MyDomain\\MyUserName"
(1)   NAS-IP-Address = 10.20.32.34
(1)   Called-Station-Id = "00-19-3B-10-8C-00:MyDomain"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "DC-53-60-A5-19-50"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "929C1E7D46CDEAD7"
(1)   Acct-Multi-Session-Id = "D8478D373078FF2E"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027074
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x02a800130145534d415c6c656f6e617264696d
(1)   Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy rewrite_called_station_id {
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
{
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
-> TRUE
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
{
(1)         update request {
(1)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1)              --> 00-19-3B-10-8C-00
(1)           &Called-Station-Id := 00-19-3B-10-8C-00
(1)         } # update request = noop
(1)         if ("%{8}") {
(1)         EXPAND %{8}
(1)            --> MyDomain
(1)         if ("%{8}")  -> TRUE
(1)         if ("%{8}")  {
(1)           update request {
(1)             EXPAND %{8}
(1)                --> MyDomain
(1)             &Called-Station-SSID := MyDomain
(1)           } # update request = noop
(1)         } # if ("%{8}")  = noop
(1)         [updated] = updated
(1)       } # if (&Called-Station-Id && (&Called-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
= updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy rewrite_called_station_id = updated
(1)     switch &Called-Station-SSID {
(1)       case MyDomain{
(1)         if (&LDAP-Group != "Enseignants") {
(1)         Searching for user in group "Enseignants"
rlm_ldap (ldap): Reserved connection (1)
(1)         EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)*
(1)         Performing search in "dc=MyDomain,dc=lan" with filter 
"(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub"
(1)         Waiting for search result...
(1)         Search returned no results
rlm_ldap (ldap): Released connection (1)
(1)         if (&LDAP-Group != "Enseignants")  -> TRUE
(1)         if (&LDAP-Group != "Enseignants")  {
(1)           [reject] = reject
(1)         } # if (&LDAP-Group != "Enseignants")  = reject
(1)       } # case MyDomain= reject
(1)     } # switch &Called-Station-SSID = reject
(1)   } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1)*attr_filter.access_reject:    --> **MyDomain**\\**MyUserName*
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1) eap: Request was previously rejected, inserting EAP-Failure
(1) eap: Sending EAP Failure (code 4) ID 168 length 4
(1)     [eap] = updated
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to 10.20.32.34:36521 
length 44
(1)   EAP-Message = 0x04a80004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.3 seconds.
(0) Cleaning up request packet ID 192 with timestamp +3

More information about the Freeradius-Users mailing list