Strange behaviour (?) on Windows authentication
Hello all, I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand. the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName. Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain... Really thanks for your help ;) Arnaud (1) Received Access-Request Id 193 from <a wifi system> length 219 (1) User-Name = "MyDomain\\MyUserName" (1) NAS-IP-Address = 10.20.32.34 (1) Called-Station-Id = "00-19-3B-10-8C-00:MyDomain" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "DC-53-60-A5-19-50" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "929C1E7D46CDEAD7" (1) Acct-Multi-Session-Id = "D8478D373078FF2E" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02a800130145534d415c6c656f6e617264696d (1) Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 00-19-3B-10-8C-00 (1) &Called-Station-Id := 00-19-3B-10-8C-00 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> MyDomain (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> MyDomain (1) &Called-Station-SSID := MyDomain (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) switch &Called-Station-SSID { (1) case MyDomain{ (1) if (&LDAP-Group != "Enseignants") { (1) Searching for user in group "Enseignants" rlm_ldap (ldap): Reserved connection (1) (1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)* (1) Performing search in "dc=MyDomain,dc=lan" with filter "(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub" (1) Waiting for search result... (1) Search returned no results rlm_ldap (ldap): Released connection (1) (1) if (&LDAP-Group != "Enseignants") -> TRUE (1) if (&LDAP-Group != "Enseignants") { (1) [reject] = reject (1) } # if (&LDAP-Group != "Enseignants") = reject (1) } # case MyDomain= reject (1) } # switch &Called-Station-SSID = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1)*attr_filter.access_reject: --> **MyDomain**\\**MyUserName* (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap: Request was previously rejected, inserting EAP-Failure (1) eap: Sending EAP Failure (code 4) ID 168 length 4 (1) [eap] = updated (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to 10.20.32.34:36521 length 44 (1) EAP-Message = 0x04a80004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 192 with timestamp +3
ok, it seems that 5c is the hexa notation for the character \ but is it normal that my string "MyDomain\\MyUserName becomes", before testing, "MyDomain\5c5cMyUserName" ? Thanks to all :) Le 17.05.2018 à 08:23, Arnaud Forster a écrit :
Hello all,
I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.
Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
Really thanks for your help ;)
Arnaud
(1) Received Access-Request Id 193 from <a wifi system> length 219 (1) User-Name = "MyDomain\\MyUserName" (1) NAS-IP-Address = 10.20.32.34 (1) Called-Station-Id = "00-19-3B-10-8C-00:MyDomain" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "DC-53-60-A5-19-50" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "929C1E7D46CDEAD7" (1) Acct-Multi-Session-Id = "D8478D373078FF2E" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027074 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x02a800130145534d415c6c656f6e617264696d (1) Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy rewrite_called_station_id { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE (1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) { (1) update request { (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (1) --> 00-19-3B-10-8C-00 (1) &Called-Station-Id := 00-19-3B-10-8C-00 (1) } # update request = noop (1) if ("%{8}") { (1) EXPAND %{8} (1) --> MyDomain (1) if ("%{8}") -> TRUE (1) if ("%{8}") { (1) update request { (1) EXPAND %{8} (1) --> MyDomain (1) &Called-Station-SSID := MyDomain (1) } # update request = noop (1) } # if ("%{8}") = noop (1) [updated] = updated (1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_called_station_id = updated (1) switch &Called-Station-SSID { (1) case MyDomain{ (1) if (&LDAP-Group != "Enseignants") { (1) Searching for user in group "Enseignants" rlm_ldap (ldap): Reserved connection (1) (1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)* (1) Performing search in "dc=MyDomain,dc=lan" with filter "(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub" (1) Waiting for search result... (1) Search returned no results rlm_ldap (ldap): Released connection (1) (1) if (&LDAP-Group != "Enseignants") -> TRUE (1) if (&LDAP-Group != "Enseignants") { (1) [reject] = reject (1) } # if (&LDAP-Group != "Enseignants") = reject (1) } # case MyDomain= reject (1) } # switch &Called-Station-SSID = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1)*attr_filter.access_reject: --> **MyDomain**\\**MyUserName* (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap: Request was previously rejected, inserting EAP-Failure (1) eap: Sending EAP Failure (code 4) ID 168 length 4 (1) [eap] = updated (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to 10.20.32.34:36521 length 44 (1) EAP-Message = 0x04a80004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.3 seconds. (0) Cleaning up request packet ID 192 with timestamp +3
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 17, 2018, at 2:23 AM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.
The hex code 5C is the ASCII code for the backslash character. FreeRADIUS encodes backslashes when it queries databases. Otherwise, users could do SQL (or LDAP) injection attacks.
Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
Really thanks for your help ;)
Arnaud
(1) Received Access-Request Id 193 from <a wifi system> length 219 (1) User-Name = "MyDomain\\MyUserName"
If that's getting converted to 5c5c, you might try upgrading to 3.0.17. You're running an older version of the database. Newer versions will still do the escaping, but only once. The short answer for a solution is that you need to set up "MyDomain" as a LOCAL realm in raddb/proxy.conf. The server will then use "MyUserName" to look up the user in LDAP. Alan DeKok.
Hello Alan, thanks for the informations :) In the meatime I found an old post from 2011 where there was this information ; /Edit the "proxy.conf" file and add:/ /realm OPTARE {// //}/ / //Then edit raddb/sites-enabled/default and add:// //// //authorize {// // preprocess// // ntdomain// // .... rest of config// //}/ So I tried that and it worked ! :) Thanks again for the help Arnaud Le 17.05.2018 à 20:04, Alan DeKok a écrit :
On May 17, 2018, at 2:23 AM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
the username is there and correc (MyUserName) but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName. The hex code 5C is the ASCII code for the backslash character.
FreeRADIUS encodes backslashes when it queries databases. Otherwise, users could do SQL (or LDAP) injection attacks.
Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
Really thanks for your help ;)
Arnaud
(1) Received Access-Request Id 193 from <a wifi system> length 219 (1) User-Name = "MyDomain\\MyUserName" If that's getting converted to 5c5c, you might try upgrading to 3.0.17. You're running an older version of the database.
Newer versions will still do the escaping, but only once.
The short answer for a solution is that you need to set up "MyDomain" as a LOCAL realm in raddb/proxy.conf. The server will then use "MyUserName" to look up the user in LDAP.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Arnaud Forster