Hello everybody, I'm doing some tests with wpa_supplicant(freebsd) + aironet 1252 + freeradius2.1.6 (freebsd portage). And I have a mystery I can not explain. I test 2 user with a domain. This is my configuration files for wpa_supplicant. They have just their first user letter mismatching. USER_TEST ========== network={ ssid="test_wifi" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="DOMAIN\test" password="test" } USER_NEST ========== network={ ssid="test_wifi" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="DOMAIN\nest" password="test" } And this is the access and accounting request for both of them : USER_TEST ACCESS-REQ ===================== rad_recv: Access-Request packet from host 192.168.9.30 port 1645, id=232, length=231 User-Name = "DOMAIN\\test" Framed-MTU = 1400 ... USER_TEST ACCOUNT-REQ ====================== rad_recv: Accounting-Request packet from host 192.168.9.30 port 1646, id=144, length=229 Acct-Session-Id = "000002F0" Called-Station-Id = "00-24-97-B6-86-40" Calling-Station-Id = "00-19-5B-35-D0-96" Cisco-AVPair = "ssid=test_wifi" Cisco-AVPair = "vlan-id=568" Cisco-AVPair = "nas-location=unspecified" User-Name = "DOMAIN\\test" ... USER_NEST ACCESS-REQ ===================== rad_recv: Access-Request packet from host 192.168.9.30 port 1645, id=222, length=231 User-Name = "DOMAIN\\nest" Framed-MTU = 1400 ... USER_NEST ACCOUNT-REQ ====================== rad_recv: Accounting-Request packet from host 192.168.9.30 port 1646, id=146, length=233 Acct-Session-Id = "000002F2" Called-Station-Id = "00-24-97-B6-86-40" Calling-Station-Id = "00-19-5B-35-D0-96" Cisco-AVPair = "ssid=test_wifi" Cisco-AVPair = "vlan-id=14" Cisco-AVPair = "nas-location=unspecified" User-Name = "DOMAIN\nest" ... The mystery is why there is two backslash for each "User-Name" excepted in the accounting request ? (I ask, because it does the mess in my sql base for accounting). Thanks for reading, G.
Stun Box wrote:
The mystery is why there is two backslash for each "User-Name" excepted in the accounting request ? (I ask, because it does the mess in my sql base for accounting).
Because the server understands \t, ", and \n in strings. For this to work, it has to treat the backslash character as special. Alan DeKok.
but the server does the escaping stuff for \t in the access and accounting packets received, and for the \n only for access and *not* for accounting. Is that a bug or I misconfigured something ? Thanks for reading, G. 2009/8/14 Alan DeKok <aland@deployingradius.com>:
Stun Box wrote:
The mystery is why there is two backslash for each "User-Name" excepted in the accounting request ? (I ask, because it does the mess in my sql base for accounting).
Because the server understands \t, ", and \n in strings. For this to work, it has to treat the backslash character as special.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stun Box wrote:
but the server does the escaping stuff for \t in the access and accounting packets received, and for the \n only for access and *not* for accounting.
Huh? The same code is run in both cases. There is no magic "string handling for accounting" versus "string handling for authentication". It's all the same code path. Alan DeKok.
So, why do I get that behaviour ? May it come from my configuration files ?? Thanks for reading, G. 2009/8/15 Alan DeKok <aland@deployingradius.com>:
Stun Box wrote:
but the server does the escaping stuff for \t in the access and accounting packets received, and for the \n only for access and *not* for accounting.
Huh? The same code is run in both cases. There is no magic "string handling for accounting" versus "string handling for authentication".
It's all the same code path.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok, I got a hint. I was mistaken, it was doing the mess for '\n' and for '\t' also in accounting but I find from where it comes. In my default/post-auth I had : update reply{ Tunnel-Type = 13 Tunnel-Medium-Type = 6 # I use the real ID for setting the vlan number (I set ''use_tunneled_reply'' to yes in eap.conf/tls/peap) Tunnel-Private-Group-Id = `/usr/local/etc/raddb/getVlan "%{reply:User-Name}"` # I hide the inner User-name by putting the user-name of the outside. User-Name := "%{request:User-Name}" } And the user-name of the accounting seems to come from the last User-Name defined in authentication. But it seems to not escape the User-Name. So when I last defined User-Name with 'DOMAIN\test' (thanks to ''%{request:User-Name}" ), it sends to accounting : 'DOMAIN est'.... So, I put User-Name := "%{request:Stripped-User-Name}" and it's ok now... But I still have a problem... the accounting is done with the outside user-name... how could it be done with the inside user-name ? Thanks for reading, G.
participants (2)
-
Alan DeKok -
Stun Box