Freeradius LDAP weird login issue
Hi all, I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain". I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request. The question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain. After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this? rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93 User-Name = *"user=5C=5C=5C=5Cuser@domain"* User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser* radius_xlat: * '(uid=user)'* Regards -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
cktan wrote:
Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain".
FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK.
I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request.
The "radius_xlat" doesn't delete '=5C' from the User-Name.
The question is why "user=5C=5C=5C=5Cuser" = "user"?
If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you.
We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain.
I'm not sure I agree.
After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this?
Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago. Upgrade to 2.1.6, and the problem will go away. Alan DeKok.
Dear Alan, The freeradius version is Version 1.0.1. I will try to upgrade to the latest version to see whether it fix. Thank for your suggestion. Regards Alan DeKok wrote:
cktan wrote:
Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain".
FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK.
I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request.
The "radius_xlat" doesn't delete '=5C' from the User-Name.
The question is why "user=5C=5C=5C=5Cuser" = "user"?
If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you.
We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain.
I'm not sure I agree.
After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this?
Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago.
Upgrade to 2.1.6, and the problem will go away.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Hi Alan, Previously the freeradius was installed using yum (Centos 4.0) and I'm just make a yum search for freeradius and no new update is available. If I'm going to get the latest RPM and install manually, will the currently configuration is able to work with the latest freeradius? I'm a bit worry to upgrade the RPM on the fly as this server currently is on production. Looking for your advice in this matter. Regards cktan wrote:
Dear Alan,
The freeradius version is Version 1.0.1. I will try to upgrade to the latest version to see whether it fix. Thank for your suggestion.
Regards
Alan DeKok wrote:
cktan wrote:
Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a while. Lately I noticed there is weird issue whereby an user login with username as "user=5C=5C=5C=5Cuser@domain" and surprisingly freeradius allow it to login although the actual username should be "user@domain".
FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK.
I've run radius in -X mode and capture the log for your reference as below. In radiusd -X, we noticed server received Access-Request with username "user=5C=5C=5C=5Cuser@domain" but when reach to radius_xlat, the uid will become "user" only and when it query my LDAP the account for "user" is available and it will accept the access request.
The "radius_xlat" doesn't delete '=5C' from the User-Name.
The question is why "user=5C=5C=5C=5Cuser" = "user"?
If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you.
We try the username with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because radius will take as user@domain.
I'm not sure I agree.
After login, the username in radacct will become "user=5C=5C=5C=5Cuser@domain" instead of "user@domain". As the consequence, the smart user may have multiple logins (by using user=1C/2C/3C....) and the records in radacct is different and therefore we will out of control for multiple login with single account. Any idea to fix this?
Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago.
Upgrade to 2.1.6, and the problem will go away.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is believed to be clean. ------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
cktan wrote:
Previously the freeradius was installed using yum (Centos 4.0) and I'm just make a yum search for freeradius and no new update is available. If I'm going to get the latest RPM and install manually, will the currently configuration is able to work with the latest freeradius? I'm a bit worry to upgrade the RPM on the fly as this server currently is on production. Looking for your advice in this matter.
You will need to upgrade your configuration manually, and test it before making it live. Alan DeKok.
Dear Alan, Tested with radius 2.1.1, the bug was fixed. Thanks. Alan DeKok wrote:
cktan wrote:
Previously the freeradius was installed using yum (Centos 4.0) and I'm just make a yum search for freeradius and no new update is available. If I'm going to get the latest RPM and install manually, will the currently configuration is able to work with the latest freeradius? I'm a bit worry to upgrade the RPM on the fly as this server currently is on production. Looking for your advice in this matter.
You will need to upgrade your configuration manually, and test it before making it live.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
participants (2)
-
Alan DeKok -
cktan