Trying to strip the Windows Domain name from a login
Hi All, I am trying to strip the domain name from a userid in the most efficient way possible, I am using version 2.1.1. I have tried using the hints file with regular expressions. ex. DEFAULT User-Name =~ "([A-Za-z1-9]+)" User-Name := "%{2}" In regexbuddy it is showing that it shows two matches, I specify the second match and in the debug output it fails and does not show any username. I then found another reference to strip the domain from the LDAP module as shown below: filter = "(cn=%{mschap:User-Name:-%{User-Name}} # filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" I am using MSChapV2 and it seems to pass the correct username to the LDAP server it looks like there is some other place I need to strip the domain besides the ldap lookup, that or the replies are using the stripped name and it is failing that way as well. Either way it still is not working. If I un-comment the stripped-user-name and use a supplicant that strips the domain prior to sending it, it does work so Radius is working, just now with standard windows supplicant on XP. Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 172.17.17.66port 1645, id=198, length=157 User-Name = "LPDOT1XTEST\\dotxuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-1C-B1-5A-8E-05" Calling-Station-Id = "64-31-50-6E-DA-7A" EAP-Message = 0x0202001a014c50444f543158544553545c626c69747472656c6c Message-Authenticator = 0x7041a9eaea23f1896725936e06e3f1dc NAS-Port-Type = Ethernet NAS-Port = 50005 NAS-IP-Address = 10.20.90.37 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "LPDOT1XTEST\dotxuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for LPDOT1XTEST\dotxuser [ldap] expand: (cn=%{mschap:User-Name:-%{User-Name}} -> (cn=dotxuser [ldap] expand: ou=users,o=musd -> ou=users,o=musd rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 172.17.17.1:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder2.b64 rlm_ldap: bind as cn=ldproxy,ou=somecx,o=cx/password! to 172.17.17.1:636 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=users,o=musd, with filter (cn=dotxuser rlm_ldap: ldap_search() failed: Bad search filter: (cn=dotxuser [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> LPDOT1XTEST\dotxuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 198 to 172.17.17.66port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 198 with timestamp +20 Ready to process requests. An yes I am pretty new to freeradius. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
Brett Littrell wrote:
I am trying to strip the domain name from a userid in the most efficient way possible, I am using version 2.1.1.
See the "realms" module, and the "realm" definition in raddb/proxy.conf.
I am using MSChapV2
Then stripping the realm isn't a good idea. The User-Name is used as part of the MS-CHAPv2 calculations, so changing it will make the authentication fail.
I then found another reference to strip the domain from the LDAP module as shown below: filter = "(cn=%{mschap:User-Name:-%{User-Name}}
This is wrong. You're not closing the opening bracket: filter = "(cn=%{mschap:User-Name:-%{User-Name}})"
and it seems to pass the correct username to the LDAP server it looks like there is some other place I need to strip the domain besides the ldap lookup, that or the replies are using the stripped name and it is failing that way as well. Either way it still is not working. If I un-comment the stripped-user-name and use a supplicant that strips the domain prior to sending it, it does work so Radius is working, just now with standard windows supplicant on XP.
If you're using EAP, you *really* don't want to strip the User-Name. It will make EAP fail.
An yes I am pretty new to freeradius.
What you want is to change the *ldap* lookup so that it uses only the name portion of the User-Name. *Don't* edit the User-Name. And move the LDAP lookup to the "inner-tunnel" configuration. That's what it's for. Don't do LDAP lookups in raddb/sites-available/default Alan DeKok.
Hi Alan, Thanks for info. Next question is "what??" HeHe. I started looking at the files you suggested and I am confused. First you mention looking into the realm information, did that, it is looking like that may not be to hard to do, if I am using the FR server to access the LDAP server then I just need to set a realm of ntdomain and auth=LOCAL, correct? Then you go on to say strip the domain at the LDAP lookup, well if I do it there wouldn't that fix the problem regardless of changing the realm? You go on to explain that I should do the LDAP lookup in the inner-tunnel config, I have no problem with this, it makes sense, the problem I have is how do you specify the inner tunnel in the configuration? Remember, I am new to FreeRadius, been using Cisco ACS for a few years now so I know about Radius in general, just not how to configure FreeRadius and docs are a bit hard to come by. If you can specify the files I should look at to configure the inner tunnel authentication and where to specify stripping the domain name pre-ldap authentication that would help a lot. I was not sure if I should attempt stripping the domain in the realm portion or right before the ldap auth. Thanks again, I will continue and try to figure out where to do this until I hear back. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE
On Friday, January 21, 2011 at 11:56 PM, in message <4D3A8DA0.7050702@deployingradius.com>, Alan DeKok <aland@deployingradius.com> wrote:
Brett Littrell wrote:
I am trying to strip the domain name from a userid in the most efficient way possible, I am using version 2.1.1.
See the "realms" module, and the "realm" definition in raddb/proxy.conf.
I am using MSChapV2
Then stripping the realm isn't a good idea. The User-Name is used as part of the MS-CHAPv2 calculations, so changing it will make the authentication fail.
I then found another reference to strip the domain from the LDAP module as shown below: filter = "(cn=%{mschap:User-Name:-%{User-Name}}
This is wrong. You're not closing the opening bracket: filter = "(cn=%{mschap:User-Name:-%{User-Name}})"
and it seems to pass the correct username to the LDAP server it looks like there is some other place I need to strip the domain besides the ldap lookup, that or the replies are using the stripped name and it is failing that way as well. Either way it still is not working. If I un-comment the stripped-user-name and use a supplicant that strips the domain prior to sending it, it does work so Radius is working, just now with standard windows supplicant on XP.
If you're using EAP, you *really* don't want to strip the User-Name. It will make EAP fail.
An yes I am pretty new to freeradius.
What you want is to change the *ldap* lookup so that it uses only the name portion of the User-Name. *Don't* edit the User-Name. And move the LDAP lookup to the "inner-tunnel" configuration. That's what it's for. Don't do LDAP lookups in raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brett Littrell wrote:
First you mention looking into the realm information, did that, it is looking like that may not be to hard to do, if I am using the FR server to access the LDAP server then I just need to set a realm of ntdomain and auth=LOCAL, correct?
Yes.
Then you go on to say strip the domain at the LDAP lookup, well if I do it there wouldn't that fix the problem regardless of changing the realm?
I'm not sure what you mean by that.
You go on to explain that I should do the LDAP lookup in the inner-tunnel config, I have no problem with this, it makes sense, the problem I have is how do you specify the inner tunnel in the configuration?
Edit the inner-tunnel configuration file.
Remember, I am new to FreeRadius, been using Cisco ACS for a few years now so I know about Radius in general, just not how to configure FreeRadius and docs are a bit hard to come by.
See the Wiki, and the comments in the configuration files. *Everything* is documented. But there are few "howtos" for specific situations. You've got to understand the pieces, and put the solution together yourself. Alan DeKok.
participants (2)
-
Alan DeKok -
Brett Littrell