Strange behaviour (?) on Windows authentication

Arnaud Forster arnaud.forster at mwprog.ch
Thu May 17 08:30:41 CEST 2018


ok, it seems that 5c is the hexa notation for the character \

but is it normal that my string "MyDomain\\MyUserName becomes", before 
testing, "MyDomain\5c5cMyUserName" ?

Thanks to all :)


Le 17.05.2018 à 08:23, Arnaud Forster a écrit :
> Hello all,
>
> I requested a few months ago some help about allowing some specific 
> users being able to connect on specific wifi systems. A received some 
> great help by adding a test to check if the user belongs to the 
> specific group. This works like a charm for computers *not *belonging 
> to the ldap domain.Today, I've another problem with that 
> authentication for a computer belonging to the ldap domain. I made a 
> log and there's something I don't understand.
>
> the username is there and correc (MyUserName)  but suddenly, before 
> checking if it belongs to the group 'Enseignants' here, the text 
> '*5c5c' *is added to my username. It seems that this is the text 
> 5c5cMyUserName that is checked instead of MyUserName.
>
> Can someone understand that ? I've no idea from where comes this 
> '5c5c' text and why this works for computers not belonging to the 
> domain...
>
> Really thanks for your help ;)
>
> Arnaud
>
>
> (1) Received Access-Request Id 193 from <a wifi system> length 219
> (1)   User-Name = "MyDomain\\MyUserName"
> (1)   NAS-IP-Address = 10.20.32.34
> (1)   Called-Station-Id = "00-19-3B-10-8C-00:MyDomain"
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   Service-Type = Framed-User
> (1)   Calling-Station-Id = "DC-53-60-A5-19-50"
> (1)   Connect-Info = "CONNECT 0Mbps 802.11b"
> (1)   Acct-Session-Id = "929C1E7D46CDEAD7"
> (1)   Acct-Multi-Session-Id = "D8478D373078FF2E"
> (1)   WLAN-Pairwise-Cipher = 1027076
> (1)   WLAN-Group-Cipher = 1027074
> (1)   WLAN-AKM-Suite = 1027073
> (1)   Framed-MTU = 1400
> (1)   EAP-Message = 0x02a800130145534d415c6c656f6e617264696d
> (1)   Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3
> (1) # Executing section authorize from file 
> /etc/raddb/sites-enabled/default
> (1)   authorize {
> (1)     policy rewrite_called_station_id {
> (1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
> {
> (1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
> -> TRUE
> (1)       if (&Called-Station-Id && (&Called-Station-Id =~ 
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
> {
> (1)         update request {
> (1)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (1)              --> 00-19-3B-10-8C-00
> (1)           &Called-Station-Id := 00-19-3B-10-8C-00
> (1)         } # update request = noop
> (1)         if ("%{8}") {
> (1)         EXPAND %{8}
> (1)            --> MyDomain
> (1)         if ("%{8}")  -> TRUE
> (1)         if ("%{8}")  {
> (1)           update request {
> (1)             EXPAND %{8}
> (1)                --> MyDomain
> (1)             &Called-Station-SSID := MyDomain
> (1)           } # update request = noop
> (1)         } # if ("%{8}")  = noop
> (1)         [updated] = updated
> (1)       } # if (&Called-Station-Id && (&Called-Station-Id =~ 
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) 
> = updated
> (1)       ... skipping else: Preceding "if" was taken
> (1)     } # policy rewrite_called_station_id = updated
> (1)     switch &Called-Station-SSID {
> (1)       case MyDomain{
> (1)         if (&LDAP-Group != "Enseignants") {
> (1)         Searching for user in group "Enseignants"
> rlm_ldap (ldap): Reserved connection (1)
> (1)         EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)*
> (1)         Performing search in "dc=MyDomain,dc=lan" with filter 
> "(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub"
> (1)         Waiting for search result...
> (1)         Search returned no results
> rlm_ldap (ldap): Released connection (1)
> (1)         if (&LDAP-Group != "Enseignants")  -> TRUE
> (1)         if (&LDAP-Group != "Enseignants")  {
> (1)           [reject] = reject
> (1)         } # if (&LDAP-Group != "Enseignants")  = reject
> (1)       } # case MyDomain= reject
> (1)     } # switch &Called-Station-SSID = reject
> (1)   } # authorize = reject
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1)   Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1)*attr_filter.access_reject:    --> **MyDomain**\\**MyUserName*
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1)     [attr_filter.access_reject] = updated
> (1) eap: Request was previously rejected, inserting EAP-Failure
> (1) eap: Sending EAP Failure (code 4) ID 168 length 4
> (1)     [eap] = updated
> (1)     policy remove_reply_message_if_eap {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (1)       else {
> (1)         [noop] = noop
> (1)       } # else = noop
> (1)     } # policy remove_reply_message_if_eap = noop
> (1)   } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to 
> 10.20.32.34:36521 length 44
> (1)   EAP-Message = 0x04a80004
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.3 seconds.
> (0) Cleaning up request packet ID 192 with timestamp +3
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list