Add $ to end of machine account uid
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. -- Cody Jarrett IT Freedom cody.jarrett@itfreedom.com Office: 512.419.0070 Fax: 512.419.0080
Hi,
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks.
use the link on the novell site as per the discussions earlier today. alan
I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } I've added add-dollar-sign to authorize { section. rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168 NAS-IP-Address = 10.1.22.11 NAS-Port-Type = Wireless-802.11 NAS-Port = 12 Framed-MTU = 1400 User-Name = "host/itf-toshiba-asd" Calling-Station-Id = "000e35ff2a82" Called-Station-Id = "00186ecfa600" NAS-Identifier = "ap01.intranet.domain.com" EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364 Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module "add-dollar-sign" returns ok for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '\' in User-Name = "itf-toshiba-asd$", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "DOMAIN" returns noop for request 2 rlm_eap: EAP packet type response id 1 length 25 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (&(cn=wireless)(&(objectClass=posixGroup)(memberUid=itf-toshiba-asd$))) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for itf-toshiba-asd$ radius_xlat: '(uid=itf-toshiba-asd$)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [W ] & op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value 78389E5DE0CCA3A288568FADB746063D & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user itf-toshiba-asd$ authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks.
use the link on the novell site as per the discussions earlier today.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I've about got it, but now I am getting an eap error about the username isn't correct.
I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" }
you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page) alan
Ok, did that, and the connection gets farther now. I don't quite understand how to get the other modules to use the stripped-user-name now. rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'host/itf-toshiba-asd' modcall[authorize]: module "copy.user-name" returns ok for request 6 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module "add-dollar-sign" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '\' in User-Name = "host/itf-toshiba-asd", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "DOMAIN" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' _____________ rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364 PEAP: Setting User-Name to host/itf-toshiba-asd attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = "" searchin = packet replacewith = "%{User-Name}" } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" } authorize { copy.user-name add-dollar-sign chap preprocess mschap DOMAIN eap files ldap } A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I've about got it, but now I am getting an eap error about the username isn't correct.
I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" }
you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP: Setting User-Name to host/itf-toshiba-asd
See my previous emails - your original config was correct. Don't use rlm_attr_rewrite. the %{mschap:User-Name} was working, and FreeRadius sent an Access-Accept. If your machines aren't getting on-net, it's a NAS problem.
On Fri, 2007-07-06 at 19:47 +0100, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
I've about got it, but now I am getting an eap error about the username isn't correct.
I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = "^host/(.*)" searchin = packet new_attribute = no replacewith = "%{1}$" }
you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page)
Shouldn't he be using %{mschap:User-Name} rather than attr_rewrite hacks?
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Cody Jarrett -
Phil Mayers