Roberto Franceschetti wrote:
I'm having some issues authenticating iOS clients (with FreeRADIUS v2.1.10 installed on a Ubuntu server) with EAP-TLS when the username contains a domain name in the form of Domain\Username (the account is in Active Directory).
I think the issue is caused by the fact that the final Access-Accept reply has the backslash after the domain name escaped, so that the output looks like this:
Sending Access-Accept of id 171 to 172.27.28.84 port 32769 User-Name = "ocg\\cmctrf3"
instead of containing the original, un-escaped domain\username:
Sending Access-Accept of id 171 to 172.27.28.84 port 32769 User-Name = "ocg\cmctrf3"
No. The escaping is done when the string is *printed*. It sends just one '\' in the Access-Accept. Use wireshark to check.
Mine is just a theory, but I cannot verify it until I figure out how to have the un-escaped ocg\cmctrf3 string being sent in the output instead of the current escaped one. So my question is "how do I cause the User-Name to be send un-escaped? Do I make a change in the clients.con file...? The eap.conf file...? If so, under which section and where..? Sorry for what may look like a dumb question, but I could not find this mentioned anywhere else.
You don't "unescape" anything. The server sends the correct User-Name. It Does the Right Thing.
As a side-note, if I omit the domain name in the iOS device and just login with the username "cmctrf3" for example, the iPhones/iPads are able to login without problems. The issue only occurs when the domain name appears before escaped. All other devices (Windows and Mac desktops) seem to be able to get past that escaped sequence without problems.
So the issue is the domain name. NOT the escaping. You THINK it's the escaping, but you're not really sure.
Below is a blurb showing the debug output. I do see the un-escaped ocg\cmctrf3 being logged,
No. That's a debug message, which isn't logging, and doesn't affect anything.
Login OK: [ocg\\cmctrf3] (from client 172.27.28.84 port 29 cli f0-cb-a1-2b-61-4d) # Executing section post-auth from file /etc/freeradius/clients.conf +- entering group post-auth {...} ++[exec] returns noop } # server lwap-clients Sending Access-Accept of id 171 to 172.27.28.84 port 32769 MS-MPPE-Recv-Key = 0x15c9ba070e3579e43c54314c24e7e09f4753c779e4e013b4bbd080a2cab4bbb2 MS-MPPE-Send-Key = 0x4f27c90c8fdf27be122e70c2c4d82bebd65797dafebe2ebb4ca91bedfd244cb5 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ocg\\cmctrf3"
Well... if the server is sending Access-Accept and the user doesn't get online... nothing is going wrong with FreeRADIUS. Alan DeKok.