On Sep 26, 2017, at 2:57 AM, hans.bornemann@tu-dortmund.de wrote:
the authentication fails because of the realm isn't stripped.
The realm is stripped. Please read the debug output.
the man page says: "by default the realm is stripped ..."
Quoting the documentation isn't helpful. We know what it says.
Tue Sep 26 08:33:47 2017 : Debug: (1) User-Name = "hans@telesec"
Please follow the documentation. EVERYTHING says to use "radiusd -X".
Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Checking for suffix after "@" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Looking up realm "telesec" for User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Found realm "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Stripped-User-Name = "hans" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Realm = "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Authentication realm is LOCAL
See the word "Stripped" there? That's a hint that the realm is being stripped. And no, the User-Name attribute is *not* modified. That's a bad idea for a whole host of reasons.
Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling sql (rlm_sql) Tue Sep 26 08:33:47 2017 : Debug: %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: Parsed xlat tree: Tue Sep 26 08:33:47 2017 : Debug: attribute --> User-Name Tue Sep 26 08:33:47 2017 : Debug: (1) sql: EXPAND %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: (1) sql: --> hans@telesec Tue Sep 26 08:33:47 2017 : Debug: (1) sql: SQL-User-Name set to 'hans@telesec'
See the SQL configuration. For you, raddb/mods-config/sql/main/mysql/queries.conf Look for sql_user_name, and read the documentation. Alan DeKok.