authentication fails because of the realm isn't stripped
Hi, the authentication fails because of the realm isn't stripped. the man page says: "by default the realm is stripped ..." proxy.conf: #### just testing telesec ####### realm telesec { authhost = LOCAL secret = blabla } Debug: Tue Sep 26 08:33:47 2017 : Debug: (1) User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) User-Password = "Itmc2628" Tue Sep 26 08:33:47 2017 : Debug: (1) session-state: No State attribute Tue Sep 26 08:33:47 2017 : Debug: (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default Tue Sep 26 08:33:47 2017 : Debug: (1) authorize { Tue Sep 26 08:33:47 2017 : Debug: (1) policy filter_username { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) -> TRUE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ / /) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ / /) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.\./ ) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.$/) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /\.$/) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@\./) { Tue Sep 26 08:33:47 2017 : Debug: (1) if (&User-Name =~ /@\./) -> FALSE Tue Sep 26 08:33:47 2017 : Debug: (1) } # if (&User-Name) = notfound Tue Sep 26 08:33:47 2017 : Debug: (1) } # policy filter_username = notfound Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling preprocess (rlm_preprocess) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from preprocess (rlm_preprocess) Tue Sep 26 08:33:47 2017 : Debug: (1) [preprocess] = ok Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling chap (rlm_chap) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from chap (rlm_chap) Tue Sep 26 08:33:47 2017 : Debug: (1) [chap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling mschap (rlm_mschap) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from mschap (rlm_mschap) Tue Sep 26 08:33:47 2017 : Debug: (1) [mschap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling digest (rlm_digest) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from digest (rlm_digest) Tue Sep 26 08:33:47 2017 : Debug: (1) [digest] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling suffix (rlm_realm) Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Checking for suffix after "@" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Looking up realm "telesec" for User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Found realm "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Stripped-User-Name = "hans" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Realm = "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Authentication realm is LOCAL Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from suffix (rlm_realm) Tue Sep 26 08:33:47 2017 : Debug: (1) [suffix] = ok Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling eap (rlm_eap) Tue Sep 26 08:33:47 2017 : Debug: (1) eap: No EAP-Message, not doing EAP Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from eap (rlm_eap) Tue Sep 26 08:33:47 2017 : Debug: (1) [eap] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling files (rlm_files) Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: returned from files (rlm_files) Tue Sep 26 08:33:47 2017 : Debug: (1) [files] = noop Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling sql (rlm_sql) Tue Sep 26 08:33:47 2017 : Debug: %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: Parsed xlat tree: Tue Sep 26 08:33:47 2017 : Debug: attribute --> User-Name Tue Sep 26 08:33:47 2017 : Debug: (1) sql: EXPAND %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: (1) sql: --> hans@telesec Tue Sep 26 08:33:47 2017 : Debug: (1) sql: SQL-User-Name set to 'hans@telesec' Tue Sep 26 08:33:47 2017 : Info: rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 733 seconds Tue Sep 26 08:33:47 2017 : Debug: rlm_sql_mysql: Socket destructor called, closing socket Hans Bornemann Abteilung Datanet Technische Universität Dortmund ITMC Otto-Hahn-Str. 12 44227 Dortmund Tel.: +49 231-755 2132 hans.bornemann@tu-dortmund.de www.itmc.tu-dortmund.de Wichtiger Hinweis: Die Information in dieser E-Mail ist vertraulich. Sie ist ausschließlich für den Adressaten bestimmt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Vielen Dank. Unbeschadet der Korrespondenz per E-Mail, sind unsere Erklärungen ausschließlich final rechtsverbindlich, wenn sie in herkömmlicher Schriftform (mit eigenhändiger Unterschrift) oder durch Übermittlung eines solchen Schriftstücks per Telefax erfolgen. Important note: The information included in this e-mail is confidential. It is solely intended for the recipient. If you are not the intended recipient of this e-mail please contact the sender and delete this message. Thank you. Without prejudice of e-mail correspondence, our statements are only legally binding when they are made in the conventional written form (with personal signature) or when such documents are sent by fax.
On Sep 26, 2017, at 2:57 AM, hans.bornemann@tu-dortmund.de wrote:
the authentication fails because of the realm isn't stripped.
The realm is stripped. Please read the debug output.
the man page says: "by default the realm is stripped ..."
Quoting the documentation isn't helpful. We know what it says.
Tue Sep 26 08:33:47 2017 : Debug: (1) User-Name = "hans@telesec"
Please follow the documentation. EVERYTHING says to use "radiusd -X".
Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Checking for suffix after "@" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Looking up realm "telesec" for User-Name = "hans@telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Found realm "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Stripped-User-Name = "hans" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Adding Realm = "telesec" Tue Sep 26 08:33:47 2017 : Debug: (1) suffix: Authentication realm is LOCAL
See the word "Stripped" there? That's a hint that the realm is being stripped. And no, the User-Name attribute is *not* modified. That's a bad idea for a whole host of reasons.
Tue Sep 26 08:33:47 2017 : Debug: (1) modsingle[authorize]: calling sql (rlm_sql) Tue Sep 26 08:33:47 2017 : Debug: %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: Parsed xlat tree: Tue Sep 26 08:33:47 2017 : Debug: attribute --> User-Name Tue Sep 26 08:33:47 2017 : Debug: (1) sql: EXPAND %{User-Name} Tue Sep 26 08:33:47 2017 : Debug: (1) sql: --> hans@telesec Tue Sep 26 08:33:47 2017 : Debug: (1) sql: SQL-User-Name set to 'hans@telesec'
See the SQL configuration. For you, raddb/mods-config/sql/main/mysql/queries.conf Look for sql_user_name, and read the documentation. Alan DeKok.
participants (2)
-
Alan DeKok -
hans.bornemann@tu-dortmund.de