On Thu, 2019-11-28 at 15:47 +0000, Sync IT wrote:
I have acquired a running freeradius system from the old administrator. It was running on version 2. But the company asked to upgrade it to V3. I am not a expert in freeradius thats why i am trying it to use on a test before running it on production.
Both of those are good.
The radius was developed by a programmer who no longer works in the company. He have made a custom gui that works great in v2. but in v3 it doesnt work. I have attached the debug report so that experts can have a look. Any idea where i made a mistake while using it in v3? when i add users from gui it goes to a different table but not in radcheck.
Upgrading FreeRADIUS won't change the internal GUI you use, so if it used to put entries in the radcheck table and doesn't any more then you've got problems elsewhere.
(0) Received Access-Request Id 222 from 127.0.0.1:52279 to 127.0.0.1:1812 length 79 (0) User-Name = "user1@mn1" (0) User-Password = "123" (0) NAS-IP-Address = 127.0.1.1 (0) NAS-Port = 10 (0) Message-Authenticator = 0xf6545a34fec8a8afc046441ec110241e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> TRUE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) update request { (0) &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'
That should be fairly clear. The filter_username policy in v3 checks for well-formed usernames. If your usernames don't have a "." in the realm, either comment out that particular check in raddb/policy.d/filter, or remove the entire `filter_username` call from raddb/sites-enabled/default authorize{} section. -- Matthew