I wouldn't be so sure /etc/etc wasn't updated. Have you gone back to your backup and compared all the files?? If you're not running eap I find the symlink in sites-enabled for inner-tunnel always comes back each time I patch. So I wouldn't be at all surprised if files got over written by updating core packages. If you have custom dictionaries they always seem to get messed up by patching too. On 30/12/2015 6:52 AM, "Migo Pod" <migopod@gmail.com> wrote:
In proxy.conf all of the defined realms have nostrip included, and the only thing I can find that explicitly rewrites anything is a directive in the NULL realm that sets Stripped-User-Name to mschap:User-Name when the User-Name matches a /host\/[^\.].(.+)/ regex, and that's been in there since at least 2013. I've tried removing that clause from the realm and it didn't appear to affect anything. Other than that, I can't find anything that sets User-Name to anything at all.
Of course things changed on the 16th when updates ran, but none of the files in /etc/raddb were modified since yum doesn't overwrite modified files, and the rpm chagnelogs aren't being particularly helpful.
Thanks, -mat
On Tue, Dec 29, 2015 at 10:59 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod@gmail.com> wrote:
The change would have been whatever changed with yum-update, which ran
on
the 16th, and did include the freeradius, freeradius-utils and freeradius-mysql packages, but according to the RedHat change logs those packages were updated in September to fix the miscalculated MPPE keys with TLS 1.2 and nothing beyond that.
Clearly there was something beyond that.
Full debug: Waking up in 2.6 seconds. rad_recv: Access-Request packet from host 172.18.255.6 port 20002, id=254, length=162 NAS-Port-Id = "AP1306/2" Calling-Station-Id = "6C-88-14-54-69-28" Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi" Service-Type = Framed-User EAP-Message = 0x020100120141445c706f6469612d75736572 User-Name = "AD\\podia-user"
Which shows that the User-Name is correct.
NAS-Port = 64901 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 172.18.255.6 NAS-Identifier = "Juniper" Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f # Executing section authorize from file
/etc/raddb/sites-enabled/default
+group authorize { ++[preprocess] = ok ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "podia-user", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] = ok
Something there is re-writing the User-Name to remove the "AD" portion.
Check the configuration of the "suffice" module. Does it have "strip = yes" ?
[eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 50
Does that entry strip the user name?
[eap] Identity (AD\podia-user) does not match User-Name (podia-user).
The User-Name has been re-written from "AD\podia-user" to "podia-user". It doesn't happen by magic. Something has updated it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html