On Jan 12, 2020, at 5:48 AM, Stuart Ramdeen <stuart@crossover.solutions> wrote:
I would be grateful for some pointers with an issue I am experiencing at a customer's site. I need to strip the domain part of the username that users are authenticating with.
Note: do NOT change the User-Name. It WILL break everything.
For example, a user will type in bob@example.com during authentication to the wireless network, but the username at the backend in the directory system is just 'bob'. I know that this is a common request of freeradius and I have tried to configure it in the conf files, but clearly I am not doing something correctly. I can't seem to get the 'Stripped-User-Name' to be used where I expect it.
The default configuration works. All you do is add "example.com" in proxy.conf as a LOCAL realm, and everything will just work.
sh-3.2# radiusd -X radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on
That's been EOL for many, many, years. I suggest moving to v3. Or at least 2.2.10.
Ready to process requests. rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240, length=225 User-Name = "radiustest@example.co.uk"
Note: this is the full name.
EAP-Message = 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b
And EAP. The above line *also* contains the full user name.
Aruba-Essid-Name = "school" Aruba-Location-Id = "ICT-TEST" Aruba-AP-Group = "test" Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13 Proxy-State = 0x3230 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "example.co.uk" for User-Name = " radiustest@example.co.uk" [suffix] Found realm "example.co.uk" [suffix] Adding Stripped-User-Name = "radiustest" [suffix] Adding Realm = "example.co.uk" [suffix] Proxying request from user radiustest to realm example.co.uk [suffix] Preparing to proxy authentication request to realm "example.co.uk" ++[suffix] = updated
That's all fine, except for the proxying bit.
[eap] Request is supposed to be proxied to Realm example.co.uk. Not doing EAP. ++[eap] = noop ++[files] = noop [opendirectory] The host 192.168.236.44 does not have an access group. [opendirectory] User radiustest exists in OD [opendirectory] User radiustest is a member of the RADUIS SACL [opendirectory] Setting Auth-Type = opendirectory ++[opendirectory] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 175 to 127.0.0.1 port 1812 User-Name = "radiustest"
There's the issue. The User-Name shouldn't be mangled during proxying.
... Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 175 to 127.0.0.1 port 1812 ... Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175, length=211 User-Name = "radiustest"
Uh... what? Why are is the server proxying the packet to itself? This isn't necessary. There's just no need to make the configuration this complex. Change the proxy.conf config to have: realm example.co.uk { } The server will treat "example.co.uk" as a local realm, and do authentication itself. It will work. Alan DeKok.