Hi all, Thanks Stefan for the proposition, I finally upgraded from packetfence version as Alan suggested in another post (http://lists.freeradius.org/pipermail/freeradius-users/2017-January/086387.h...) System admin added a new repo allowing only freeradius* packages I'm now running 3.0.13 successfully. Before It started I had to customise my conf files and particularly disable filter_username module in authorise sections. Do someone ever has reject because of an unreal reason ? It looks like a bug or am I wrong ? here is radius -X details : eady to process requests (1) Received Access-Request Id 48 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267 (1) User-Name = "XXXXXXX@univ-rennes1.fr" (1) Calling-Station-Id = "xx:xx:xx:xx:xx:xx" (1) Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2" (1) NAS-Port = 13 (1) Cisco-AVPair = "audit-session-id=81140301004ea5905891e58f" (1) NAS-IP-Address = 129.20.3.1 (1) NAS-Identifier = "cs5508-00-12d-1" (1) Airespace-Wlan-Id = 9 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "410" (1) EAP-Message = 0x0202001d016364656c61756e6140756e69762d72656e6e6573312e6672 (1) Message-Authenticator = 0x1132d719171132f5a5c236cf9c4f3de1 (1) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> TRUE (1) if (&User-Name =~ /\.$/) { (1) update request { (1) &Module-Failure-Message += 'Rejected: Realm ends with a dot' (1) } # update request = noop (1) [reject] = reject (1) } # if (&User-Name =~ /\.$/) = reject (1) } # if (&User-Name) = reject (1) } # policy filter_username = reject (1) } # authorize = reject (1) Invalid user (Rejected: Realm ends with a dot): [XXXXXXX@univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx) ....... Received Access-Request Id 47 from 129.20.3.1:32770 to 129.20.128.215:2012 length 267 (2) User-Name = "XXXXXXX@univ-rennes1.fr" (2) Calling-Station-Id = "xx:xx:xx:xx:xx:xx" (2) Called-Station-Id = "zz:zz:zz:zz:zz:zz:eduroam2" (2) NAS-Port = 13 (2) Cisco-AVPair = "audit-session-id=81140301004ea2255891e39d" (2) NAS-IP-Address = 129.20.3.1 (2) NAS-Identifier = "cs5508-00-12d-1" (2) Airespace-Wlan-Id = 9 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "410" (2) EAP-Message = 0x0201001d016364656c61756e6140756e69762d72656e6e6573312e6672 (2) Message-Authenticator = 0x6e2d0c853052c1e6c24554832e2986c2 (2) # Executing section authorize from file /etc/raddb//sites-enabled/eduroam (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> TRUE (2) if (&User-Name =~ /\.\./ ) { (2) update request { (2) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (2) } # update request = noop (2) [reject] = reject (2) } # if (&User-Name =~ /\.\./ ) = reject (2) } # if (&User-Name) = reject (2) } # policy filter_username = reject (2) } # authorize = reject (2) Invalid user (Rejected: User-Name contains multiple ..s): [XXXXXXX@univ-rennes1.fr] (from client Controleur1 port 13 cli xx:xx:xx:xx:xx:xx) (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb//sites-enabled/eduroam (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> XXXXXXX@univ-rennes1.fr (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated Anyway, I disable the module and it work. I'll now look at Module-Failure-Message Cedric Le 25/01/2017 à 10:56, Stefan Paetow a écrit :
I would like switch from 2.x to 3.x as soon as possible so I can't wait for 3.0.13 release on my centos ;( If you are ok with getting a CentOS version of FR that's *not* from the official repo, you can get one from the Moonshot repository[1][2]. Granted, it comes with additional build functionality (dynamic realm lookup with Moonshot technology), but at least you won't have to hang around with 2.x anymore.
[1] http://repository.project-moonshot.org/rpms/centos6/RPMS/x86_64/ [2] Instructions: https://wiki.moonshot.ja.net/display/TEM/_SystemPrep_RHEL6 (or _SystemPrep_RHEL7)
We expect to release a 3.0.13 once Alan releases it.
:-)
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Cédric Delaunay Direction des Systèmes d'Informations Equipe Réseau & Telephonie 263, Avenue du Général Leclerc Tel: 02 23 23 71 59 CS 74205 - 35042 Rennes Cedex Pour toute demande utiliser l'aide et assistance via l'ENT à l'adresse http://ent.univ-rennes1.fr