<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">I’m playing around with CUI generation with FreeRADIUS 2.2.0 and discovered something odd.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">In policy.conf I’ve set cui_require_operator_name = 1 and cui_hash_key = "4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a". As you can see it’s a 32-character string and it looks like a hash.
<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">In radiusd –X output I get this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ready to process requests.<o:p></o:p></p>
<p class="MsoNormal">rad_recv: Access-Request packet from host 192.168.126.155 port 1814, id=17, length=113<o:p></o:p></p>
<p class="MsoNormal"> User-Name = "steve@diamond.ac.uk"<o:p></o:p></p>
<p class="MsoNormal"> User-Password = "testing"<o:p></o:p></p>
<p class="MsoNormal"> NAS-IP-Address = 127.0.0.1<o:p></o:p></p>
<p class="MsoNormal"> NAS-Port = 0<o:p></o:p></p>
<p class="MsoNormal"> Message-Authenticator = 0x80a453196d15a8e68ba13642ba725b24<o:p></o:p></p>
<p class="MsoNormal"> Proxy-State = 0x30<o:p></o:p></p>
<p class="MsoNormal"> Operator-Name = "1camford.ac.uk"<o:p></o:p></p>
<p class="MsoNormal"> Chargeable-User-Identity = ""<o:p></o:p></p>
<p class="MsoNormal"> Proxy-State = 0x313630<o:p></o:p></p>
<p class="MsoNormal"># Executing section authorize from file /etc/raddb/sites-enabled/default<o:p></o:p></p>
<p class="MsoNormal">+- entering group authorize {...}<o:p></o:p></p>
<p class="MsoNormal">++? if (!(User-Name =~ /@/))<o:p></o:p></p>
<p class="MsoNormal">?? Evaluating (User-Name =~ /@/) -> TRUE<o:p></o:p></p>
<p class="MsoNormal">? Converting !TRUE -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (!(User-Name =~ /@/)) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@$/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?@/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@.+?@/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?@/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@[\\.-]/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@[\\.-]/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?[\\.-]$/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@[^\\.]+$/)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@[^\\.]+$/) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?\\.\\./)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?\\.\\./) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@myabc\\.com$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@\\.?ac\\.uk$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?\\.ax\\.uk$/i)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++? if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">++[preprocess] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[chap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[mschap] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[digest] returns noop<o:p></o:p></p>
<p class="MsoNormal">[suffix] Looking up realm "diamond.ac.uk" for User-Name = "steve@diamond.ac.uk"<o:p></o:p></p>
<p class="MsoNormal">[suffix] Found realm "diamond.ac.uk"<o:p></o:p></p>
<p class="MsoNormal">[suffix] Adding Stripped-User-Name = "steve"<o:p></o:p></p>
<p class="MsoNormal">[suffix] Adding Realm = "diamond.ac.uk"<o:p></o:p></p>
<p class="MsoNormal">[suffix] Authentication realm is LOCAL.<o:p></o:p></p>
<p class="MsoNormal">++[suffix] returns ok<o:p></o:p></p>
<p class="MsoNormal">[eap] No EAP-Message, not doing EAP<o:p></o:p></p>
<p class="MsoNormal">++[eap] returns noop<o:p></o:p></p>
<p class="MsoNormal">[files] users: Matched entry steve at line 76<o:p></o:p></p>
<p class="MsoNormal">++[files] returns ok<o:p></o:p></p>
<p class="MsoNormal">++[expiration] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[logintime] returns noop<o:p></o:p></p>
<p class="MsoNormal">++[pap] returns updated<o:p></o:p></p>
<p class="MsoNormal">Found Auth-Type = PAP<o:p></o:p></p>
<p class="MsoNormal"># Executing group from file /etc/raddb/sites-enabled/default<o:p></o:p></p>
<p class="MsoNormal">+- entering group PAP {...}<o:p></o:p></p>
<p class="MsoNormal">[pap] login attempt with password "testing"<o:p></o:p></p>
<p class="MsoNormal">[pap] Using clear text password "testing"<o:p></o:p></p>
<p class="MsoNormal">[pap] User authenticated successfully<o:p></o:p></p>
<p class="MsoNormal">++[pap] returns ok<o:p></o:p></p>
<p class="MsoNormal"># Executing section post-auth from file /etc/raddb/sites-enabled/default<o:p></o:p></p>
<p class="MsoNormal">+- entering group post-auth {...}<o:p></o:p></p>
<p class="MsoNormal">++- entering policy cui_postauth {...}<o:p></o:p></p>
<p class="MsoNormal">+++? if (FreeRadius-Proxied-To == 127.0.0.1)<o:p></o:p></p>
<p class="MsoNormal"> (Attribute FreeRadius-Proxied-To was not found)<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">+++? if (FreeRadius-Proxied-To == 127.0.0.1) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">+++- entering else else {...}<o:p></o:p></p>
<p class="MsoNormal">++++? if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity && !(reply:Chargeable-User-Identity) && (Operator-Name || !("${policy.cui_require_operator_name}")) )<o:p></o:p></p>
<p class="MsoNormal"> expand: %{control:Proxy-To-Realm} -> <o:p></o:p></p>
<p class="MsoNormal">?? Evaluating ("%{control:Proxy-To-Realm}") -> FALSE<o:p></o:p></p>
<p class="MsoNormal">? Converting !FALSE -> TRUE<o:p></o:p></p>
<p class="MsoNormal">? Evaluating (Chargeable-User-Identity ) -> TRUE<o:p></o:p></p>
<p class="MsoNormal">?? Evaluating (reply:Chargeable-User-Identity) -> FALSE<o:p></o:p></p>
<p class="MsoNormal">? Converting !FALSE -> TRUE<o:p></o:p></p>
<p class="MsoNormal">?? Evaluating (Operator-Name ) -> TRUE<o:p></o:p></p>
<p class="MsoNormal">??? Skipping ("${policy.cui_require_operator_name}")<o:p></o:p></p>
<p class="MsoNormal">++++? if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity &&!(reply:Chargeable-User-Identity) && (Operator-Name || !("${policy.cui_require_operator_name}")) ) -> TRUE<o:p></o:p></p>
<p class="MsoNormal">++++- entering if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity &&!(reply:Chargeable-User-Identity) && (Operator-Name || !("${policy.cui_require_operator_name}")) ) {...}<o:p></o:p></p>
<p class="MsoNormal"> expand: %{md5:4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a%{User-Name}%{%{Operator-Name}:-}} ->
<o:p></o:p></p>
<p class="MsoNormal">+++++[reply] returns noop<o:p></o:p></p>
<p class="MsoNormal">++++- if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity && !(reply:Chargeable-User-Identity) && (Operator-Name || !("${policy.cui_require_operator_name}")) ) returns noop<o:p></o:p></p>
<p class="MsoNormal">+++- else else returns noop<o:p></o:p></p>
<p class="MsoNormal">++- policy cui_postauth returns noop<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As you can see, the expand: bit shows an empty value. Then I changed my cui_hash_key to “01234567890abcdef01234567890abcdef” and it did the same. However, when I set cui_hash_key to a hex string that was not 32 characters in length (“abcdef”
as an example), or a non-hex string of any length, it works ok. So I’m guessing here that if the cui_hash_key happens to be a string that is a potentially valid MD5 hash, the md5 operator in the CUI generation statement does nothing or barfs.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Working fragment:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">++++- entering if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity &&!(reply:Chargeable-User-Identity) && (Operator-Name || !("${policy.cui_require_operator_name}")) ) {...}<o:p></o:p></p>
<p class="MsoNormal">expand: %{Operator-Name} -> 1camford.ac.uk<o:p></o:p></p>
<p class="MsoNormal">expand: abcdef%{User-Name}%{%{Operator-Name}:-} -> abcdefsteve@diamond.ac.uk1camford.ac.uk<o:p></o:p></p>
<p class="MsoNormal">expand: %{md5:abcdef%{User-Name}%{%{Operator-Name}:-}} -> 330a6f12e7152cb8888ef6aaa30b1aed<o:p></o:p></p>
<p class="MsoNormal">+++++[reply] returns noop<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If this is known already, then that’s fine (because it means you’ll probably fix it in the future). Just thought I’d flag this up. In the meanwhile I’ve changed my cui_hash_key to something non-hex to avoid this issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stefan Paetow<o:p></o:p></p>
<p class="MsoNormal">Software Engineer<o:p></o:p></p>
<p class="MsoNormal">+44 1235 778812<o:p></o:p></p>
<p class="MsoNormal">Diamond Light Source Ltd.<o:p></o:p></p>
<p class="MsoNormal">Diamond House, Harwell Science and Innovation Campus<o:p></o:p></p>
<p class="MsoNormal">Didcot, Oxfordshire, OX11 0DE<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br><P align=justify> </P>
<P align=justify>-- </P>
<P align=justify>This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.<BR>Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. <BR>Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.<BR>Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom<BR> </P>
<br></body>
</html>