ok, it seems that 5c is the hexa notation for the character \ but is it normal that my string "MyDomain\\MyUserName becomes", before testing, "MyDomain\5c5cMyUserName" ? Thanks to all :) Le 17.05.2018 à 08:23, Arnaud Forster a écrit :
Hello all,
I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.
Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
Really thanks for your help ;)
Arnaud
(1) Received Access-Request Id 193 from <a wifi system> length 219 (1) User-Name = "MyDomain\\MyUserName" (1) NAS-IP-Address = 10.20.32.34 (1) Called-Station-Id = "00-19-3B-10-8C-00:MyDomain" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "DC-53-60-A5-19-50" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "929C1E7D46CDEAD7" (1) Acct-Multi-Session-Id = "D8478D373078FF2E" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02a800130145534d415c6c656f6e617264696d (1) Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 00-19-3B-10-8C-00 (1) &Called-Station-Id := 00-19-3B-10-8C-00 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> MyDomain (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> MyDomain (1) &Called-Station-SSID := MyDomain (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) switch &Called-Station-SSID { (1) case MyDomain{ (1) if (&LDAP-Group != "Enseignants") { (1) Searching for user in group "Enseignants" rlm_ldap (ldap): Reserved connection (1) (1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)* (1) Performing search in "dc=MyDomain,dc=lan" with filter "(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub" (1) Waiting for search result... (1) Search returned no results rlm_ldap (ldap): Released connection (1) (1) if (&LDAP-Group != "Enseignants") -> TRUE (1) if (&LDAP-Group != "Enseignants") { (1) [reject] = reject (1) } # if (&LDAP-Group != "Enseignants") = reject (1) } # case MyDomain= reject (1) } # switch &Called-Station-SSID = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1)*attr_filter.access_reject: --> **MyDomain**\\**MyUserName* (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap: Request was previously rejected, inserting EAP-Failure (1) eap: Sending EAP Failure (code 4) ID 168 length 4 (1) [eap] = updated (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to 10.20.32.34:36521 length 44 (1) EAP-Message = 0x04a80004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 192 with timestamp +3
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html