back-slash in username that making escape character issue
Hello, The story: I got an issue for escaping character issue when back-slash is in username. Recently, my company has introduced Azure MFA. On Microsoft RD Gateway, it sends radius auth to Microsoft NPS server in order to integrate to the Azure MFA authentication workflow. Everything works fine; however, NPS did not support account bypassing. Meaning, all radius auth requests sent to the NPS server will be enforced to use MFA. So we need to put a radius proxy in-between RD gateway and NPS to filter/redirect the radius auth requests for these special accounts. We plan to use freeradius as radius proxy for this purpose. The flow is RD client --> RD gateway --radius auth request --> freeradius --proxy to--> NPS. On the freeradius, normal accounts will be proxied to the NPS server and special accounts will be proxied to another radius server. The whole workflow looks good and only issue is the escaping characters (\n, \r, and \t). The username sent by RD Gateway server is DomainA\\username format The issue: for account without escape characters, it works fine as follows. ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\\eric" (0) Called-Station-Id = "UserAuthType:PW" (0) MS-Network-Access-Server-Type = Terminal-Server-Gateway (0) NAS-Port-Type = Virtual (0) Proxy-State = 0xfe800000000000003558d7bb169c1a1f0000001e (0) Message-Authenticator = 0xf2ac68355d495175cda15b87b7157ed5 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: Looking up realm "domainA" for User-Name = "domainA\eric" (0) ntdomain: Found realm "domainA" (0) ntdomain: Adding Realm = "domainA" (0) ntdomain: Proxying request from user domainA\eric to realm domainA (0) ntdomain: Preparing to proxy authentication request to realm "domainA" ----------------------------------- but accounts starting with r, t and n will encounter escape character issue ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\tee" (0) Called-Station-Id = "UserAuthType:PW" (0) MS-Network-Access-Server-Type = Terminal-Server-Gateway (0) NAS-Port-Type = Virtual (0) Proxy-State = 0xfe800000000000003558d7bb169c1a1f0000001e (0) Message-Authenticator = 0xf2ac68355d495175cda15b87b7157ed5 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "domainA ee", looking up realm NULL (0) ntdomain: Found realm "NULL" (0) ntdomain: Adding Realm = "NULL" (0) ntdomain: Proxying request from user domainA ee to realm NULL (0) ntdomain: Preparing to proxy authentication request to realm "NULL" (0) [ntdomain] = updated ----------------------------------- my freeradius version radiusd: FreeRADIUS Version 3.0.26, for host x86_64-pc-linux-gnu, built on Jan 4 2023 at 03:23:09 I had done my google search and found only one similar case https://lists.freeradius.org/pipermail/freeradius-users/2017-February/086635... I also tried different config/tests on freeradius, but no luck. Is there a way to not escaping characters in user-name on freeradius? in my tests, there are two solutions on Windows side 1. ask all users to use UPN name instead of Domain\username to login. This will have a major impact to users as it will change user behavior globally. Not a good option, 2. on RD Gateway server, add filters to radius auth requests for t, n and r accounts, for example, search (.*)\\(t.*) replace $1\$2 this solution will need to be applied to 30+ RD Gateway servers managed by different teams/admins across global. I am seeking if there is a more simple solution on freeradius. Can someone help? Regards, Eric
On Jan 2, 2024, at 3:26 AM, Eric Lin <pirate585@gmail.com> wrote:
On the freeradius, normal accounts will be proxied to the NPS server and special accounts will be proxied to another radius server. The whole workflow looks good and only issue is the escaping characters (\n, \r, and \t). The username sent by RD Gateway server is DomainA\\username format
The issue: for account without escape characters, it works fine as follows. ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\\eric"
This User-Name has a backslash in it.
but accounts starting with r, t and n will encounter escape character issue ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\tee"
This User-Name does not have a backslash in it. It has a literal tab character (0x09) If that User-Name has a backslash in it, you would see it printed as: ... User-Name = "domainA\\tee"
(0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "domainA ee", looking up realm NULL
See that space after "domainA"? That's a literal tab character. The ntdomain module looks for the backslash by looking for the exact character. If it says there's no backslash in the string, then there's no backslash in the string,
I had done my google search and found only one similar case https://lists.freeradius.org/pipermail/freeradius-users/2017-February/086635... I also tried different config/tests on freeradius, but no luck.
Try using wireshark to see the raw RADIUS packets. The first one will have a backslash. The second one will have a literal tab (0x09).
Is there a way to not escaping characters in user-name on freeradius?
It's not a FreeRADIUS issue. The client is sending a tab character instead of a literal \ followed by a "t"
I am seeking if there is a more simple solution on freeradius. Can someone help?
Fix the client so that it actually sends a backslash and then "t" instead of a tab character. I'd suggest looking at the raw RADIUS packets using Wireshark. Do this at every RADIUS server / proxy. For proxies, look at both input packets and output packets. This will let you know exactly where the User-Name is coming from. Is the bad User-Name coming from the client? In which case you have to fix the client. Or is the client creating the correct User-Name, and then a proxy is mashing "\t" into tab? FreeRADIUS handles backslashes, and "\t" correctly. It doesn't mangle "\t" --> tab when it receives a User-Name. It doesn't modify the User-Name unless you tell it to. FreeRADIUS is just telling you what the problem is. The cause of the problem is somewhere else. Alan DeKok.
Hi Alan, Thanks for the reply and helpful information. After further in-depth investigation, we had found the root cause. The user name sent by RD gateway server is good. It sends username in Domain\\UserName format. The problem is our filter setting. The problematic filters are update request { User-Name := "%{tolower:%{User-Name}}" } if (&User-Name !~ /@/) { update request { User-Name := "%{User-Name}@UPN_domain" } } The first tolower function had changed user-name from domain\\test_acct to domain\test_acct the second filter had changed user-name from domain\test_acct to domain est_acct The problem is fixed by replacing the filters by if ((&User-Name !~ /@/) && (&User-Name !~ /(.+)\\(.+)/)) { update request { User-Name := "%{User-Name}@UPN_domain" } } thanks again and appreciate your help Regards, Eric On Tue, Jan 2, 2024 at 9:58 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 2, 2024, at 3:26 AM, Eric Lin <pirate585@gmail.com> wrote:
On the freeradius, normal accounts will be proxied to the NPS server and special accounts will be proxied to another radius server. The whole workflow looks good and only issue is the escaping characters (\n, \r, and \t). The username sent by RD Gateway server is DomainA\\username format
The issue: for account without escape characters, it works fine as follows. ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\\eric"
This User-Name has a backslash in it.
but accounts starting with r, t and n will encounter escape character issue ----------------------------------- Ready to process requests (0) Received Access-Request Id 3 from 10.88.18.245:56346 to 10.88.18.212:1812 length 153 (0) Service-Type = Sip-session (0) User-Name = "domainA\tee"
This User-Name does not have a backslash in it. It has a literal tab character (0x09)
If that User-Name has a backslash in it, you would see it printed as:
... User-Name = "domainA\\tee"
(0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "domainA ee", looking up realm NULL
See that space after "domainA"? That's a literal tab character.
The ntdomain module looks for the backslash by looking for the exact character. If it says there's no backslash in the string, then there's no backslash in the string,
I had done my google search and found only one similar case https://lists.freeradius.org/pipermail/freeradius-users/2017-February/086635... I also tried different config/tests on freeradius, but no luck.
Try using wireshark to see the raw RADIUS packets. The first one will have a backslash. The second one will have a literal tab (0x09).
Is there a way to not escaping characters in user-name on freeradius?
It's not a FreeRADIUS issue. The client is sending a tab character instead of a literal \ followed by a "t"
I am seeking if there is a more simple solution on freeradius. Can someone help?
Fix the client so that it actually sends a backslash and then "t" instead of a tab character.
I'd suggest looking at the raw RADIUS packets using Wireshark. Do this at every RADIUS server / proxy. For proxies, look at both input packets and output packets.
This will let you know exactly where the User-Name is coming from. Is the bad User-Name coming from the client? In which case you have to fix the client.
Or is the client creating the correct User-Name, and then a proxy is mashing "\t" into tab?
FreeRADIUS handles backslashes, and "\t" correctly. It doesn't mangle "\t" --> tab when it receives a User-Name. It doesn't modify the User-Name unless you tell it to.
FreeRADIUS is just telling you what the problem is. The cause of the problem is somewhere else.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Eric Lin