Problem with spaces in usernames.
My main goal is creating EAP-TLS configuration but I wanted to be sure the easiest way is working fine. And it's not working for me. What's wrong that 3.0.0 version doesn't treat: "A Guest" the same way as aguest? They are configured this way in users file: "A Guest" Cleartext-Password := "123456" Reply-Message = "Hello %{User-Name}" aguest Cleartext-Password := "123456" Reply-Message = "Hello, %{User-Name}" and talking with radtest from other host makes following showing in debug: rad_recv: Access-Request packet from host 10.0.6.10 port 57803, id=3, length=77 User-Name = 'A Guest' User-Password = '123456' NAS-IP-Address = 10.0.6.10 NAS-Port = 0 Message-Authenticator = 0x3499158ba2be438b4e63389ffd091332 Wed Jan 29 17:20:58 2014 : Debug: (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:20:58 2014 : Debug: (0) authorize { Wed Jan 29 17:20:58 2014 : Debug: (0) filter_username filter_username { Wed Jan 29 17:20:58 2014 : Debug: (0) ? if (User-Name != "%{tolower:%{User-Name}}") Wed Jan 29 17:20:58 2014 : Debug: %{tolower:%{User-Name}} Wed Jan 29 17:20:58 2014 : Debug: Parsed xlat tree: Wed Jan 29 17:20:58 2014 : Debug: xlat: tolower Wed Jan 29 17:20:58 2014 : Debug: { Wed Jan 29 17:20:58 2014 : Debug: attribute: User-Name Wed Jan 29 17:20:58 2014 : Debug: { Wed Jan 29 17:20:58 2014 : Debug: ref 2 Wed Jan 29 17:20:58 2014 : Debug: list 1 Wed Jan 29 17:20:58 2014 : Debug: tag -128 Wed Jan 29 17:20:58 2014 : Debug: } Wed Jan 29 17:20:58 2014 : Debug: } Wed Jan 29 17:20:58 2014 : Debug: (0) expand: "%{tolower:%{User-Name}}" -> 'a guest' Wed Jan 29 17:20:58 2014 : Debug: (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> TRUE Wed Jan 29 17:20:58 2014 : Debug: (0) if (User-Name != "%{tolower:%{User-Name}}") { Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[authorize]: calling reject (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[authorize]: returned from reject (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) [reject] = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # if (User-Name != "%{tolower:%{User-Name}}") = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # filter_username filter_username = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # authorize = reject Wed Jan 29 17:20:58 2014 : Debug: (0) Using Post-Auth-Type Reject Wed Jan 29 17:20:58 2014 : Debug: (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:20:58 2014 : Debug: (0) Post-Auth-Type REJECT { Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0 Wed Jan 29 17:20:58 2014 : Debug: %{User-Name} Wed Jan 29 17:20:58 2014 : Debug: Parsed xlat tree: Wed Jan 29 17:20:58 2014 : Debug: attribute: User-Name Wed Jan 29 17:20:58 2014 : Debug: { Wed Jan 29 17:20:58 2014 : Debug: ref 2 Wed Jan 29 17:20:58 2014 : Debug: list 1 Wed Jan 29 17:20:58 2014 : Debug: tag -128 Wed Jan 29 17:20:58 2014 : Debug: } Wed Jan 29 17:20:58 2014 : Debug: (0) attr_filter.access_reject : expand: "%{User-Name}" -> 'A Guest' Wed Jan 29 17:20:58 2014 : Debug: (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) [attr_filter.access_reject] = updated Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: calling eap (rlm_eap) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: returned from eap (rlm_eap) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) [eap] = noop Wed Jan 29 17:20:58 2014 : Debug: (0) remove_reply_message_if_eap remove_reply_message_if_eap { Wed Jan 29 17:20:58 2014 : Debug: (0) ? if (reply:EAP-Message && reply:Reply-Message) Wed Jan 29 17:20:58 2014 : Debug: (0) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE Wed Jan 29 17:20:58 2014 : Debug: (0) else else { Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) [noop] = noop Wed Jan 29 17:20:58 2014 : Debug: (0) } # else else = noop Wed Jan 29 17:20:58 2014 : Debug: (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop Wed Jan 29 17:20:58 2014 : Debug: (0) } # Post-Auth-Type REJECT = updated Wed Jan 29 17:20:58 2014 : Debug: (0) Finished request 0. Wed Jan 29 17:20:58 2014 : Debug: Waking up in 0.3 seconds. Wed Jan 29 17:20:58 2014 : Debug: Waking up in 0.6 seconds. Wed Jan 29 17:20:59 2014 : Debug: (0) Sending delayed reject Sending Access-Reject of id 3 from 10.0.6.207 port 1812 to 10.0.6.10 port 57803 Wed Jan 29 17:20:59 2014 : Debug: Waking up in 4.9 seconds. Wed Jan 29 17:21:04 2014 : Debug: (0) Cleaning up request packet ID 3 with timestamp +29 Wed Jan 29 17:21:04 2014 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.0.6.10 port 44948, id=210, length=76 User-Name = 'aguest' User-Password = '123456' NAS-IP-Address = 10.0.6.10 NAS-Port = 0 Message-Authenticator = 0xdfd5232531e2f84735f3a9b1b94c22c9 Wed Jan 29 17:21:10 2014 : Debug: (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:21:10 2014 : Debug: (1) authorize { Wed Jan 29 17:21:10 2014 : Debug: (1) filter_username filter_username { Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name != "%{tolower:%{User-Name}}") Wed Jan 29 17:21:10 2014 : Debug: %{tolower:%{User-Name}} Wed Jan 29 17:21:10 2014 : Debug: Parsed xlat tree: Wed Jan 29 17:21:10 2014 : Debug: xlat: tolower Wed Jan 29 17:21:10 2014 : Debug: { Wed Jan 29 17:21:10 2014 : Debug: attribute: User-Name Wed Jan 29 17:21:10 2014 : Debug: { Wed Jan 29 17:21:10 2014 : Debug: ref 2 Wed Jan 29 17:21:10 2014 : Debug: list 1 Wed Jan 29 17:21:10 2014 : Debug: tag -128 Wed Jan 29 17:21:10 2014 : Debug: } Wed Jan 29 17:21:10 2014 : Debug: } Wed Jan 29 17:21:10 2014 : Debug: } Wed Jan 29 17:21:10 2014 : Debug: (1) expand: "%{tolower:%{User-Name}}" -> 'aguest' Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ / /) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ / /) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /@.*@/ ) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /@.*@/ ) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /\\.\\./ ) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /\\.\\./ ) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /\\.$/) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /\\.$/) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /@\\./) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (User-Name =~ /@\\./) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) } # filter_username filter_username = notfound Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [preprocess] = ok Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [chap] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [mschap] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [digest] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) suffix : No '@' in User-Name = "aguest", looking up realm NULL Wed Jan 29 17:21:10 2014 : Debug: (1) suffix : No such realm "NULL" Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [suffix] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) eap : No EAP-Message, not doing EAP Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [eap] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling files (rlm_files) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) files : users: Matched entry aguest at line 57 Wed Jan 29 17:21:10 2014 : Debug: Hello, %{User-Name} Wed Jan 29 17:21:10 2014 : Debug: Parsed xlat tree: Wed Jan 29 17:21:10 2014 : Debug: literal: 'Hello, ' Wed Jan 29 17:21:10 2014 : Debug: attribute: User-Name Wed Jan 29 17:21:10 2014 : Debug: { Wed Jan 29 17:21:10 2014 : Debug: ref 2 Wed Jan 29 17:21:10 2014 : Debug: list 1 Wed Jan 29 17:21:10 2014 : Debug: tag -128 Wed Jan 29 17:21:10 2014 : Debug: } Wed Jan 29 17:21:10 2014 : Debug: (1) files : expand: "Hello, %{User-Name}" -> 'Hello, aguest' Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [files] = ok Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling expiration (rlm_expiration) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from expiration (rlm_expiration) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [expiration] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling logintime (rlm_logintime) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from logintime (rlm_logintime) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [logintime] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: calling pap (rlm_pap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authorize]: returned from pap (rlm_pap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [pap] = updated Wed Jan 29 17:21:10 2014 : Debug: (1) } # authorize = updated Wed Jan 29 17:21:10 2014 : Debug: (1) Found Auth-Type = PAP Wed Jan 29 17:21:10 2014 : Debug: (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:21:10 2014 : Debug: (1) Auth-Type PAP { Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authenticate]: calling pap (rlm_pap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) pap : login attempt with password "123456" Wed Jan 29 17:21:10 2014 : Debug: (1) pap : Using clear text password "123456" Wed Jan 29 17:21:10 2014 : Debug: (1) pap : User authenticated successfully Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[authenticate]: returned from pap (rlm_pap) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [pap] = ok Wed Jan 29 17:21:10 2014 : Debug: (1) } # Auth-Type PAP = ok Wed Jan 29 17:21:10 2014 : Debug: (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:21:10 2014 : Debug: (1) post-auth { Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[post-auth]: calling exec (rlm_exec) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[post-auth]: returned from exec (rlm_exec) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [exec] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) remove_reply_message_if_eap remove_reply_message_if_eap { Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (reply:EAP-Message && reply:Reply-Message) Wed Jan 29 17:21:10 2014 : Debug: (1) ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE Wed Jan 29 17:21:10 2014 : Debug: (1) else else { Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[post-auth]: calling noop (rlm_always) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) modsingle[post-auth]: returned from noop (rlm_always) for request 1 Wed Jan 29 17:21:10 2014 : Debug: (1) [noop] = noop Wed Jan 29 17:21:10 2014 : Debug: (1) } # else else = noop Wed Jan 29 17:21:10 2014 : Debug: (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop Wed Jan 29 17:21:10 2014 : Debug: (1) } # post-auth = noop Sending Access-Accept of id 210 from 10.0.6.207 port 1812 to 10.0.6.10 port 44948 Reply-Message = 'Hello, aguest' Wed Jan 29 17:21:10 2014 : Debug: (1) Finished request 1. Wed Jan 29 17:21:10 2014 : Debug: Waking up in 0.3 seconds. Wed Jan 29 17:21:10 2014 : Debug: Waking up in 4.6 seconds. -- Pozdrawiam, Maciej Milewski
On 29 Jan 2014, at 16:44, Maciej Milewski <milu@dat.pl> wrote:
Wed Jan 29 17:20:58 2014 : Debug: %{tolower:%{User-Name}} Wed Jan 29 17:20:58 2014 : Debug: Parsed xlat tree: Wed Jan 29 17:20:58 2014 : Debug: xlat: tolower Wed Jan 29 17:20:58 2014 : Debug: { Wed Jan 29 17:20:58 2014 : Debug: attribute: User-Name Wed Jan 29 17:20:58 2014 : Debug: { Wed Jan 29 17:20:58 2014 : Debug: ref 2 Wed Jan 29 17:20:58 2014 : Debug: list 1 Wed Jan 29 17:20:58 2014 : Debug: tag -128 Wed Jan 29 17:20:58 2014 : Debug: } Wed Jan 29 17:20:58 2014 : Debug: } Wed Jan 29 17:20:58 2014 : Debug: (0) expand: "%{tolower:%{User-Name}}" -> 'a guest' Wed Jan 29 17:20:58 2014 : Debug: (0) ? if (User-Name != "%{tolower:%{User-Name}}") -> TRUE Wed Jan 29 17:20:58 2014 : Debug: (0) if (User-Name != "%{tolower:%{User-Name}}") { Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[authorize]: calling reject (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) modsingle[authorize]: returned from reject (rlm_always) for request 0 Wed Jan 29 17:20:58 2014 : Debug: (0) [reject] = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # if (User-Name != "%{tolower:%{User-Name}}") = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # filter_username filter_username = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # authorize = reject
Please just use -X, the extra info isn't useful.. There's a policy filter_username which does basic checks on incoming user names to make sure they look like NAIs. if (User-Name != "%{tolower:%{User-Name}}") { reject } Is the bit causing the trouble. Comment it out in filter_username, or comment out the call to filter_username, it's got nothing to do with the users file... Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29.01.2014 18:02, Arran Cudbard-Bell wrote:
Please just use -X, the extra info isn't useful.. OK, next time I will know.
There's a policy filter_username which does basic checks on incoming user names to make sure they look like NAIs.
if (User-Name != "%{tolower:%{User-Name}}") { reject }
Is the bit causing the trouble. Comment it out in filter_username, or comment out the call to filter_username, it's got nothing to do with the users file...
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team I think that makes EAP-TLS less obvious to set up. Especially if you are using full user name as CN. I'll try that later. May I propose adding info about those Capital Letters disallowed into text?
# This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. If you have # users with spaces and capital letters in their names, you must also change # the "filter_username" policy to allow spaces and capital letters. - -- Pozdrawiam, Maciej Milewski -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLpencACgkQPQ1pa2ELkNly1QCeOo0b6+Qg2XFdL2utcd+DEdvy i+YAn1suA+gzC/CbV3f4OctZ4g1eyxy4 =8iIn -----END PGP SIGNATURE-----
Maciej Milewski wrote:
I think that makes EAP-TLS less obvious to set up. Especially if you are using full user name as CN.
The common practice is to use an email address as the user identity. The default configuration is intended to work for as many people as possible, which is why it has the current rules. You're welcome to do something else, but you've got to change the defaults. Alan DeKok.
On 01/29/2014 11:44 AM, Maciej Milewski wrote: Did you try reading the debug output you posted? Or is that our job ;-)
Wed Jan 29 17:20:58 2014 : Debug: (0) [reject] = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # if (User-Name != "%{tolower:%{User-Name}}") = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # filter_username filter_username = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # authorize = reject Wed Jan 29 17:20:58 2014 : Debug: (0) Using Post-Auth-Type Reject
raddb/policy.d/filter # # Filter the username # # Force some sanity on User-Name. This helps to avoid issues # issues where the back-end database is "forgiving" about # what constitutes a user name. # filter_username { # # reject mixed case # e.g. "UseRNaMe" # if (User-Name != "%{tolower:%{User-Name}}") { reject } -- John
On 29/01/14 16:44, Maciej Milewski wrote:
User-Name = 'A Guest' User-Password = '123456' NAS-IP-Address = 10.0.6.10 NAS-Port = 0 Message-Authenticator = 0x3499158ba2be438b4e63389ffd091332 Wed Jan 29 17:20:58 2014 : Debug: (0) # Executing section authorize from
What is this OBSESSION people have with running with crazy command line arguments that spew useless timestamp info? "radiusd -X" is ALL you need to post!
file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:20:58 2014 : Debug: (0) authorize { Wed Jan 29 17:20:58 2014 : Debug: (0) filter_username filter_username {
This...
filter_username = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # authorize = reject
...is rejecting it. 3.x comes with a default "username" sanity filter which removes lower-case/space. If you want to allow these, comment out the filter. Reading the debug output would be polite, in future.
On 29.01.2014 18:05, Phil Mayers wrote:
On 29/01/14 16:44, Maciej Milewski wrote:
User-Name = 'A Guest' User-Password = '123456' NAS-IP-Address = 10.0.6.10 NAS-Port = 0 Message-Authenticator = 0x3499158ba2be438b4e63389ffd091332 Wed Jan 29 17:20:58 2014 : Debug: (0) # Executing section authorize from
What is this OBSESSION people have with running with crazy command line arguments that spew useless timestamp info? "radiusd -X" is ALL you need to post! OK, thanks.
file /usr/local/etc/raddb/sites-enabled/default Wed Jan 29 17:20:58 2014 : Debug: (0) authorize { Wed Jan 29 17:20:58 2014 : Debug: (0) filter_username filter_username { This... filter_username = reject Wed Jan 29 17:20:58 2014 : Debug: (0) } # authorize = reject ...is rejecting it.
3.x comes with a default "username" sanity filter which removes lower-case/space. If you want to allow these, comment out the filter.
Reading the debug output would be polite, in future. Sorry, I didn't wanted to be impolite. After looking for 2 days why my old EAP config from 2.x doesn't work when I just added the same cfglines didn't help either.
-- Pozdrawiam, Maciej Milewski
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
John Dennis -
Maciej Milewski -
Phil Mayers