I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module. Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a "t" it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash. I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with "t" I always get User-name does not match eap identity failure. Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented. -Josh ------- Successful attempt -------- ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ISD\\josh" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ISD\\josh" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later --------- End snip of successful attempt --------- --------- Failed attempt from user who's username begins with a "t" (tbraun) --------- ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ----------- End of snip of failed attempt ---------------- ----------- Begin paste of perl script ------------------ #!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; # This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK; # # This the remapping of return values # use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */ # Function to handle authorize sub authorize { my $sambagroup = "10007"; #This is the numeric ID of the samba group my $domain = "ISD"; #Testing stuff to print out all radius attributes from hash my $key = ""; my $value = ""; while (($key, $value) = each (%RAD_REQUEST)){ print "They key is $key and the value is $value."; } #End of testing my $auth_user = $RAD_REQUEST{'User-Name'}; #Windows adds host/ to the begining of every machine name during login. #The following block of code cleans off host/ and replaces it with #the login domain and tags a $ at the end for wbinfo group query. if ($auth_user =~ /\bhost\b/ ) { $auth_user =~ s/^host\/// ; $auth_user = "$auth_user\$"; } #Here I add the domain to the beginning of the username if the domain doesnt exist there #already. if ( $auth_user !~ /^\b$domain\b/ ) { $auth_user = "$domain\\\\$auth_user"; } #End of username/machine name cleanup. #The next line is the wbinfo query to see what samba groups the user is a member of. my @resultArray = qx(wbinfo -r $auth_user); my $arraySize = scalar @resultArray; my $groupID = ""; if ($arraySize != 0) { foreach $groupID (@resultArray) { if ($groupID == $sambagroup) { #The below line re-writes the value stored in #the radius user-name attribute in the rad_request #hash. For some reason freeradius feeds in #DOMAIN\\\\username instead of DOMAIN\\username. #This causes the eap module to fail because the #returned value from this module doesnt match the EAP #identity. #this is from testing --> $RAD_REQUEST{'User-Name'} = "ISD\\\\tbraun" #The following line cleans two of the slashes "\\" out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why. $RAD_REQUEST{'User-Name'} =~ s/^$domain\\/$domain/; #Here I exit the subroutine and tell FreeRadius I updated #some junk. return RLM_MODULE_UPDATED; # return RLM_MODULE_OK; } } } else { #user not in the required group. return RLM_MODULE_REJECT; #YOU have been denied.... } }
Josh Hiner wrote:
I think I may have found a bug in rlm_perl? I have written script with the aid of another freeradius list member that checks to see if a user is in a certain samba windows group. If they are not in the group (the wireless group) the module rejects the login. The module works perfectly except for those users who's usernames begin with a letter t. For instance ISD\josh will succeed but ISD\\ted will fail. I have done much testing and cant find my script to be the issue. Look below for debug output for the perl module.
Notice that right after the ++[files] line I print out the radius items for debugging. Notice the User-Name value is correct going into the perl script. Notice on the exit of the perl script on each debug that the username is correct. Then notice later in each debug where these lines are: Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) but when the username begins with a "t" it fails here like this: Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) Notice only one backslash.
I have tried to make it succeed by adding backslashes (for users that start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun but never ISD\\tbraun. Therefore, with users that start with "t" I always get User-name does not match eap identity failure.
Thanks for any help. At the very bottom after the debug output you will find my simple perl script that is well commented.
-Josh
------- Successful attempt -------- ++[files] returns noop They key is User-Name and the value is ISD\\josh.They key is EAP-Message and the value is 0x020900061a03.They key is EAP-Type and the value is MS-CHAP-V2.They key is State and the value is 0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1. rlm_perl: Added pair User-Name = ISD\josh rlm_perl: Added pair EAP-Message = 0x020900061a03 rlm_perl: Added pair EAP-Type = MS-CHAP-V2 rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ISD\\josh" [peap] Got tunneled reply RADIUS code 2 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "ISD\\josh" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later --------- End snip of successful attempt ---------
--------- Failed attempt from user who's username begins with a "t" (tbraun) --------- ++[files] returns noop They key is User-Name and the value is ISD\\tbraun.They key is EAP-Message and the value is 0x0207000f014953445c74627261756e.They key is EAP-Type and the value is Identity.They key is FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair User-Name = ISD\tbraun rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1 rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair Proxy-To-Realm = LOCAL rlm_perl: Added pair EAP-Type = MS-CHAP-V2 ++[perl] returns updated ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ----------- End of snip of failed attempt ----------------
----------- Begin paste of perl script ------------------
#!/usr/bin/perl -w use strict; # use ... use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper;
# This is hash wich hold original request from radius #my %RAD_REQUEST; # In this hash you add values that will be returned to NAS. #my %RAD_REPLY; #This is for check items #my %RAD_CHECK;
# # This the remapping of return values # use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ use constant RLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constant RLM_MODULE_INVALID=> 4;# /* the module considers the request invalid. */ use constant RLM_MODULE_USERLOCK=> 5;# /* reject the request (user is locked out) */ use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constant RLM_MODULE_NOOP=> 7;# /* module succeeded without doing anything */ use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constant RLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */
# Function to handle authorize sub authorize {
my $sambagroup = "10007"; #This is the numeric ID of the samba group my $domain = "ISD";
#Testing stuff to print out all radius attributes from hash my $key = ""; my $value = ""; while (($key, $value) = each (%RAD_REQUEST)){ print "They key is $key and the value is $value."; } #End of testing my $auth_user = $RAD_REQUEST{'User-Name'};
#Windows adds host/ to the begining of every machine name during login. #The following block of code cleans off host/ and replaces it with #the login domain and tags a $ at the end for wbinfo group query.
if ($auth_user =~ /\bhost\b/ ) { $auth_user =~ s/^host\/// ; $auth_user = "$auth_user\$"; }
#Here I add the domain to the beginning of the username if the domain doesnt exist there #already. if ( $auth_user !~ /^\b$domain\b/ ) { $auth_user = "$domain\\\\$auth_user"; }
#End of username/machine name cleanup.
#The next line is the wbinfo query to see what samba groups the user is a member of. my @resultArray = qx(wbinfo -r $auth_user);
my $arraySize = scalar @resultArray; my $groupID = "";
if ($arraySize != 0) { foreach $groupID (@resultArray) { if ($groupID == $sambagroup) { #The below line re-writes the value stored in #the radius user-name attribute in the rad_request #hash. For some reason freeradius feeds in #DOMAIN\\\\username instead of DOMAIN\\username. #This causes the eap module to fail because the #returned value from this module doesnt match the EAP #identity.
#this is from testing --> $RAD_REQUEST{'User-Name'} = "ISD\\\\tbraun"
#The following line cleans two of the slashes "\\" out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why. $RAD_REQUEST{'User-Name'} =~ s/^$domain\\/$domain/;
#Here I exit the subroutine and tell FreeRadius I updated #some junk.
return RLM_MODULE_UPDATED; # return RLM_MODULE_OK; } }
} else { #user not in the required group. return RLM_MODULE_REJECT; #YOU have been denied.... } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I forgot to mention the freeradius version I am using is 2.1.3. Sorry and thanks.
I think I may have found a bug in rlm_perl?
No, you broke it.
#The following line cleans two of the slashes "\\" out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why.
$RAD_REQUEST{'User-Name'} =~ s/^$domain\\/$domain/;
Extra slashes are escaping slashes in the username. Leave them alone. Ivan Kalik Kalik Informatika ISP
I have found a problem when FR reads back accounting data from the listener server. It seems that the User-Name attribute is being lost under certain circumstances. My guess is that it is related to the ":=" operator that is being user since the User-Name was rewritten by the hints file prior to accounting. Snip from detail.work file. User-Name := "xxxxxxxx@myfol.com" NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... Snip from radiusd -X detail_recv: Read packet from /var/log/radius/radacct/ImagineNet/detail.work NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... Notice that the User-Name attribute is missing. It is not out of order either (further down in the debug file). I shut down FR and modified the User-Name operator on all of the listener files to be "=" and it seems to work fine. detail_recv: Read packet from /var/log/radius/radacct/ImagineNet/detail.work User-Name = "xxxxxxxx@myfol.com" NAS-Port = 84082688 Service-Type = Framed-User Framed-Protocol = PPP ... I have tried FreeRADIUS 2.1.4 and a 2.1.5 pre release running on CentOS 5.3. Jim
JDL wrote:
I have found a problem when FR reads back accounting data from the listener server. It seems that the User-Name attribute is being lost under certain circumstances. My guess is that it is related to the ":=" operator that is being user since the User-Name was rewritten by the hints file prior to accounting.
The code that reads the "detail" file is the same as the code that reads the "users" file, and is used by "radclient". All of which work with "=" or ":=". I'm a little surprised at this, and I find it a little hard to see how this can happen.
I shut down FR and modified the User-Name operator on all of the listener files to be "=" and it seems to work fine.
Well, that seems reproducible at least. But I'm again a little surprised that it happens at all, and that no one has run into it before. Alan DeKok.
Alan, I just wanted to ask if you were able to reproduce this problem. If not, I can gather my configurations and debug files to send to you. I could also bring up a test server and provide you access if that would help. Thanks, Jim L. Alan DeKok wrote:
JDL wrote:
I have found a problem when FR reads back accounting data from the listener server. It seems that the User-Name attribute is being lost under certain circumstances. My guess is that it is related to the ":=" operator that is being user since the User-Name was rewritten by the hints file prior to accounting.
The code that reads the "detail" file is the same as the code that reads the "users" file, and is used by "radclient". All of which work with "=" or ":=".
I'm a little surprised at this, and I find it a little hard to see how this can happen.
I shut down FR and modified the User-Name operator on all of the listener files to be "=" and it seems to work fine.
Well, that seems reproducible at least. But I'm again a little surprised that it happens at all, and that no one has run into it before.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 21, 2009, at 5:21 AM, tnt@kalik.net wrote:
I think I may have found a bug in rlm_perl?
No, you broke it.
#The following line cleans two of the slashes "\\" out of the user-name before we return from the #perl module. These two slashes get added in. I'm not sure how or why.
$RAD_REQUEST{'User-Name'} =~ s/^$domain\\/ $domain/;
Extra slashes are escaping slashes in the username. Leave them alone.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Ok, but if I do not filter out the extra slashes then after the perl module returns, freeradius gives the error that the User-Name field does not match the peap identity. Then it shows the User-Name with too many slashes (four slashes). If, in my perl module, I filter out two slashes then everything works fine except for usernames that begin with "t". If I just use regular usernames (without the domain name ISD\\) then the perl module works fine. Since windows XP machines send the domain with the username by default, I must find some way to cope with the slashes. My perl module is very short. If I eliminate everything but a simple return_ok I STILL get the error that the User-Name does not match the eap identity. So, if I simply enter the module and immediately return and still get an error that user-name does not match the eap identity is this still me? I always must filter out the extra slashes ONLY if the username contains a domain. Thanks! -Josh
Hi,
Ok, but if I do not filter out the extra slashes then after the perl module returns, freeradius gives the error that the User-Name field does not match the peap identity. Then it shows the User-Name with too many slashes (four slashes). If, in my perl module, I filter out two slashes then everything works fine except for usernames that begin with "t". If I just use regular usernames (without the domain name ISD\\) then the perl module works fine. Since windows XP machines send the domain with the username by default, I must find some way to cope with the slashes. My perl module is very short. If I eliminate everything but a simple return_ok I STILL get the error that the User-Name does not match the eap identity. So, if I simply enter the module and immediately return and still get an error that user-name does not match the eap identity is this still me? I always must filter out the extra slashes ONLY if the username contains a domain.
Stripped-User-Name - the code should deal with domains and stuff at the beginning and give you what you want. you can then proxy etc off that other info if you need (or use it during the NTLM stuff if you use that. alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
JDL -
Josh Hiner -
tnt@kalik.net