On 15/10/2021 17:39, Darcy Boese wrote:
So I have installed a completely fresh freeradius 3.0 server, and after a lot of tinkering and quite a bit of hair-pulling, I managed to get it into a state where it will authenticate usernames and passwords against the /etc/radius/shadow file.
Sounds good.
To get that far, I'd modified the "mods-enabled/passwd" to read:
passwd shadow { filename = /etc/radius/shadow format = "*User-Name:Crypt-Password:" hash_size = 100 ignore_nislike = no allow_multiple_keys = no }
and in the "sites-available/default" file where it listed "unix" (approx line 400 in the "authorize" section) I listed "shadow" instead. Easy peasy, so to speak. OK. So that will look up the full User-Name attribute in the shadow file, and extract Crypt-Password.
But there's still one major hitch that I cannot seem to get straight. Getting authentication to work when the username has an attached "realm" is failing, and I'm utterly boggled for now as to where or what I need to change, because it's totally different from the old but still-plugging-along server.
So this works:
radtest <username> <password> localhost 5000 testing123
but this fails:
radtest <username@domain> <password> localhost 5000 testing123
As far as I can gather, there's no "nostrip" option enabled anywhere, yet the realm isn't being stripped before being matched via the passwd module.
As you realise, you need to strip the realm off before looking up the account in the shadow file. There's several ways to do it. If they are known realms, and you want to reject all else, then you can add them to the proxy.conf, e.g. realm example1.com { } realm example2.com { } and then make sure you call 'suffix' before you call 'shadow'. That will give you two new attributes, 'Stripped-User-Name', and 'Realm'. Alternatively, call 'split_username_nai', again before 'shadow'. That is a standard policy (from policy.d/canonicalization) which will use a regex to split User-Name into 'Stripped-User-Name' and 'Stripped-User-Domain'. Both of these will mean you need to update your passwd config to use 'Stripped-User-Name' instead of 'User-Name'. If you actually care about what the realm is, rather than just discard it, then you'd need to do something else such as put that in the shadow file - but I get the impression that you just want it removed. -- Matthew