Need help with FreeRADIUS stripping NT domain name from usernames

Nazar Tareyev nazzartareev at mail.ru
Thu Aug 5 13:46:08 CEST 2021


Thank you. I have declared our domain in proxy.conf, then uncommented ntdomain in default site and now it seems that stripping domain from username works.
Regarding EAP error, I will dig into it deeper. But interestingly, when you manually enter just username, without domain, no such error appears and authentication is successful. EAP error only comes up when you enter DOMAIN\Username




(9) Received Access-Request Id 140 from xx.xx.xx.xx:41261 to yy.yy.yy.yy:1812 length 286
(9)   User-Name = "DOMAIN\\username"
(9)   Chargeable-User-Identity = 0x32
(9)   Location-Capable = Civic-Location
(9)   Calling-Station-Id = "f8-28-19-5c-4e-cb"
(9)   Called-Station-Id = "00-27-e3-ff-c9-a0:FCB-STAFF2"
(9)   NAS-Port = 1
(9)   Cisco-AVPair = "audit-session-id=326e0a0a000183b1c8320961"
(9)   Acct-Session-Id = "610932c8/f8:28:19:5c:4e:cb/107533"
(9)   NAS-IP-Address = xx.xx.xx.xx
(9)   NAS-Identifier = "Cisco1832wlc"
(9)   Airespace-Wlan-Id = 8
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1300
(9)   NAS-Port-Type = Wireless-802.11
(9)   EAP-Message = 0x0205001119800000000715030300020230
(9)   State = 0x5dcb35125ece2cb03df2fa771ee55409
(9)   Message-Authenticator = 0x9090806a88afc430040d8c26502b54ed
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "DOMAIN\username", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\username"
(9) ntdomain: Found realm "DOMAIN"
(9) ntdomain: Adding Stripped-User-Name = "username"
(9) ntdomain: Adding Realm = "DOMAIN"
(9) ntdomain: Authentication realm is LOCAL
(9)     [ntdomain] = ok
(9) eap: Peer sent EAP Response (code 2) ID 5 length 17
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x5dcb35125ece2cb0
(9) eap: Finished EAP session with state 0x5dcb35125ece2cb0
(9) eap: Previous EAP request found for state 0x5dcb35125ece2cb0, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(9) eap_peap: Got complete TLS record (7 bytes)
(9) eap_peap: [eaptls verify] = length included
(9) eap_peap: <<< recv TLS 1.2  [length 0002]
(9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(9) eap_peap: ERROR: TLS_accept: Failed in error
(9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(9) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(9) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(9) eap_peap: ERROR: System call (I/O) error (-1)
(9) eap_peap: ERROR: TLS receive handshake failed during operation
(9) eap_peap: ERROR: [eaptls process] = fail
(9) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(9) eap: Sending EAP Failure (code 4) ID 5 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [DOMAIN\username] (from client Cisco1832wlc port 1 cli f8-28-19-5c-4e-cb)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(9) sql: EXPAND %{User-Name}
(9) sql:    --> DOMAIN\\username
(9) sql: SQL-User-Name set to 'DOMAIN\\username'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'DOMAIN=5C=5Cusername', '', 'Access-Reject', '2021-08-03 18:13:02.825020')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'DOMAIN=5C=5Cusername', '', 'Access-Reject', '2021-08-03 18:13:02.825020')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.48-MariaDB, protocol version 10
(9)     [sql] = ok
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> DOMAIN\\username
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 140 from yy.yy.yy.yy:1812 to xx.xx.xx.xx:41261 length 44
(9)   EAP-Message = 0x04050004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 136 with timestamp +20
(6) Cleaning up request packet ID 137 with timestamp +20
(7) Cleaning up request packet ID 138 with timestamp +20
(8) Cleaning up request packet ID 139 with timestamp +20
(9) Cleaning up request packet ID 140 with timestamp +20
Ready to process requests

On Monday, 2 August 2021 г. 17:55:43 (+06:00), Alan DeKok wrote:

> On Aug 2, 2021, at 7:28 AM, Nazar Tareyev via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> > Is there a FreeRADIUS professionals or experienced admins? I need help with stripping domain name from username. I've inherited this FreeRADIUS installation from previous admin and struggling to understand how it was configured in full. But as I see, stripping and policy config is pretty much default, nothing changed there.
> >
> > Users in our network use DOMAIN\Username format. When they log on with just username, authorization works as needed. When they use DOMAIN\Username, radius rejects login request.
>
> The rejection below is for a different reason. But you still have to fix the DOMAIN issue.
>
> > How do I configure FreeRADIUS to allow both username and DOMAIN\Username formats to be used? How do I strip DOMAIN\ from username?
>
> See the default configuration, which already does this:
>
> * list DOMAIN in proxy.conf, so that the server knows about it:
>
> DOMAIN {
> }
>
> * then edit sites-available/default. Look for "ntdomain". It should be listed after the "suffix" line. Uncomment "ntdomain".
>
> > ...
> > (9) eap_peap: <<< recv TLS 1.2 [length 0002]
> > (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> > (9) eap_peap: ERROR: TLS_accept: Failed in error
> > (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
> > (9) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
> > (9) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
>
> That's why authentication is failing. The client doesn't know about the servers CA certificate. Follow the docs to get EAP working. My site has lots of documentation: http://deployingradius.com
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- 
Sent with Vivaldi Mail. Download Vivaldi for free at vivaldi.com


More information about the Freeradius-Users mailing list