<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 2, 2014 at 9:52 AM, Heiko O <span dir="ltr"><<a href="mailto:puettagoras@gmail.com" target="_blank">puettagoras@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello all,<br>
<br>
i have two question on realms:<br>
<br>
Authenication works fine when Users only enter "username",but i want<br>
the users to login with something like "<a href="mailto:username@thedomain.net">username@thedomain.net</a>". But<br>
when doing this i get<br>
<br></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
(0) preprocess : --> testuser<br>
(0) [preprocess] = ok<br>
(0) [chap] = noop<br>
(0) mschap : Found MS-CHAP attributes. Setting 'Auth-Type = mschap'<br>
(0) [mschap] = ok<br>
(0) [digest] = noop<br>
(0) suffix : Checking for suffix after "@"<br>
(0) suffix : No '@' in User-Name = "testuser", looking up realm NULL<br>
(0) suffix : No such realm "NULL"<br>
(0) [suffix] = noop<br>
(0) eap : No EAP-Message, not doing EAP<br>
(0) [eap] = noop<br>
(0) sql : EXPAND %{User-Name}<br>
(0) sql : --> testuser<br>
(0) sql : SQL-User-Name set to 'testuser'<br>
rlm_sql (sql): Reserved connection (4)<br>
(0) sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM<br>
radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id<br>
(0) sql : --> SELECT id, UserName, Attribute, Value, Op FROM<br>
radcheck WHERE Username = 'testuser' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,<br>
Value, Op FROM radcheck WHERE Username = 'testuser' ORDER BY id'<br>
rlm_sql_postgresql: Status: PGRES_TUPLES_OK<br>
rlm_sql_postgresql: query affected rows = 1 , fields = 5<br>
(0) sql : User found in radcheck table<br>
(0) sql : Check items matched<br>
(0) sql : EXPAND SELECT id, UserName, Attribute, Value, Op FROM<br>
radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id<br>
(0) sql : --> SELECT id, UserName, Attribute, Value, Op FROM<br>
radreply WHERE Username = 'testuser' ORDER BY id<br>
rlm_sql (sql): Executing query: 'SELECT id, UserName, Attribute,<br>
Value, Op FROM radreply WHERE Username = 'testuser' ORDER BY id'<br>
rlm_sql_postgresql: Status: PGRES_TUPLES_OK<br>
rlm_sql_postgresql: query affected rows = 2 , fields = 5<br>
(0) sql : User found in radreply table<br>
(0) sql : EXPAND SELECT GroupName FROM radusergroup WHERE<br>
UserName='%{SQL-User-Name}' ORDER BY priority<br>
(0) sql : --> SELECT GroupName FROM radusergroup WHERE<br>
UserName='testuser' ORDER BY priority<br>
rlm_sql (sql): Executing query: 'SELECT GroupName FROM radusergroup<br>
WHERE UserName='testuser' ORDER BY priority'<br>
rlm_sql_postgresql: Status: PGRES_TUPLES_OK<br>
rlm_sql_postgresql: query affected rows = 0 , fields = 1<br>
(0) sql : User not found in any groups<br>
rlm_sql (sql): Released connection (4)<br>
(0) [sql] = ok<br>
(0) [expiration] = noop<br>
(0) [logintime] = noop<br>
(0) } # authorize = ok<br>
(0) Found Auth-Type = MSCHAP<br>
(0) # Executing group from file /etc/raddb/sites-enabled/default<br>
(0) Auth-Type MS-CHAP {<br>
(0) mschap : Found Cleartext-Password, hashing to create LM-Password<br>
(0) mschap : Found Cleartext-Password, hashing to create NT-Password<br>
(0) mschap : Creating challenge hash with username: testuser<br>
(0) mschap : Client is using MS-CHAPv2<br>
(0) ERROR: mschap : MS-CHAP2-Response is incorrect<br>
(0) [mschap] = reject<br>
(0) } # Auth-Type MS-CHAP = reject<br>
(0) Failed to authenticate the user<br>
<br>
I did a lot of try-and-error with suffix ans Strip and configuring,<br>
but i can't get mschap to work.<br>
How can I teach mschap to work with "<a href="mailto:user@thedomain.net">user@thedomain.net</a>"?<br>
BTW: The radcheck-table contains simply "username" with no realms, and<br>
that cannot be changed.<br>
<br></blockquote><div>all my users must provide <a href="mailto:whatever@domain.com">whatever@domain.com</a>, and this is working fine. I don't use SQL but my backend password server is AD<br><br></div><div>I have this regex in my site-enabled/default authorized section <br>if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/i) {<br><br></div><div>So if user do not supply <a href="mailto:whatever@domain.com">whatever@domain.com</a> I just simply reject, there are number of discussion on this. <br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The second question is about proxying. Since the is only one<br>
RADIUS-Server, proxying is not needed. I wonder if i really have to<br>
add a realm and proxy the request to localhost.<br>
Is there a way to say "Hey, just answer all queries with<br>
@<a href="http://thedomain.org" target="_blank">thedomain.org</a> and don't proxy it to yourself"?<br>
<br></blockquote><div>similarly, you can achieve this with regex as well.<br><br></div><div>if ( Realm == "<a href="http://thedomain.org">thedomain.org</a>") {<br></div><div> update control {<br></div><div> Proxy-To-Realm := LOCAL<br> }<br></div><br></div><div class="gmail_quote">else {<br>...<br></div><div class="gmail_quote">reject<br>}<br><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br><br> <br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Thanks for your help and suggestions.<br>
Heiko<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br></div></div>