On Jun 24, 2022, at 8:56 AM, David le Roux <david.leroux@miller.co.uk> wrote:
So I used the scriptlet below to remove the host/ section and now no longer get the error message.
if (&User-Name =~ /^host\/(.*)$/) { update request { &Cert-CN := "%{1}" } }
That's good.
However I now get the following error:
(2) if (&User-Name =~ /^host\/(.*)$/) { (2) if (&User-Name =~ /^host\/(.*)$/) -> TRUE (2) if (&User-Name =~ /^host\/(.*)$/) { (2) update request { (2) EXPAND %{1} (2) --> hostname.domain.com (2) &User-Name := hostname.domain.com
That isn't what you posted above. You're editing the User-Name, and not adding a Cert-CN attribute. It helps to have a methodical approach, and to make sure that you're doing what you think you're doing.
(2) Found Auth-Type = eap (2) Found Auth-Type = eap (2) ERROR: Warning: Found 2 auth-types on request for user 'hostname.domain.com'
Don't force "Auth-Type = eap". It's wrong, and it will cause problems. Let the server figure out what to do. It will make the right decision.
(2) eap: Identity does not match User-Name. Authentication failed
Yup.
I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.
Don't modify the User-Name? Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name: check_cert_cn = %{%{Cert-CN}:-%{User-Name}} Alan DeKok.