Hi all,

I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain". I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request. The question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain. After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this?


rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93
        User-Name = "user=5C=5C=5C=5Cuser@domain"
        User-Password = "password"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0

rlm_ldap: performing user authorization for user=5c=5c=5c=5cuser
radius_xlat:  '(uid=user)'


Regards

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.