FreeRADIUS 2.0.4, Prefix/Suffix
Hi, I installed FreeRADIUS version 2.0.4 on Debian Lenny from the standard package repositories and setup a simple configuration just authenticating against the users file to test this Prefix/Suffix stuff which I’ll need later in production. It doesn’t matter if I define Prefix or Suffix, they never match – either in the hints nor in the users file. Here’s one of the users file I tried: ----------------- /etc/freeradius/users ----------------- DEFAULT Prefix == "P" Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Prefix == "C" Service-Type = Framed-User, Framed-Protocol = SLIP "Cpeter" Cleartext-Password := "secret1" "Pjason" Cleartext-Password := "secret2" --------------------------------------------------------- Possibly a bug? Thanks for your help… Robert
Robert Borz wrote:
I installed FreeRADIUS version 2.0.4 on Debian Lenny from the standard package repositories and setup a simple configuration just authenticating against the users file to test this Prefix/Suffix stuff which I’ll need later in production.
It doesn’t matter if I define Prefix or Suffix, they never match – either in the hints nor in the users file. Here’s one of the users file I tried:
This was fixed in 2.1.0, I think. Try upgrading to the latest available version. Alan DeKok.
Thanks for the hint. Ok, so I grabbed the latest sources from freeradius.org, build a deb package and installed it via dpkg: # freeradius -v freeradius: FreeRADIUS Version 2.1.3, for host x86_64-pc-linux-gnu, built on Dec 27 2008 at 09:11:29 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Looks good. But I still can't get this Prefix/Suffix stuff to work. My users get authenticated when sending authentication requests with usernames "Pjason" or "Cpeter" using NTRadPing Test Utility, but the attributes defined by the DEFAULT entries in the users file which should match the hints from the hints file doesn't get applied. Now I stripped my configuration for only what is necessary (still doesn't work): ----- radiusd.conf ----- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid checkrad = ${sbindir}/checkrad user = freerad group = freerad listen { type = auth ipaddr = * } $INCLUDE clients.conf modules { preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users } pap { } } authorize { preprocess files pap } authenticate { Auth-Type PAP { pap } } ------------------------ ----- hints ------------ DEFAULT Prefix == "P", Strip-User-Name = Yes Hint = "PHint", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Prefix == "C", Strip-User-Name = Yes Hint = "CHint", Service-Type = Framed-User, Framed-Protocol = SLIP ------------------------ ----- users ------------ DEFAULT Hint == "PHint" Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Hint == "CHint" Service-Type = Framed-User, Framed-Protocol = SLIP "Cpeter" Cleartext-Password := "secret1" "Pjason" Cleartext-Password := "secret2" ------------------------ Thanks, Robert. -----Original Message----- From: freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, December 27, 2008 8:50 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2.0.4, Prefix/Suffix Robert Borz wrote:
I installed FreeRADIUS version 2.0.4 on Debian Lenny from the standard package repositories and setup a simple configuration just authenticating against the users file to test this Prefix/Suffix stuff which I’ll need later in production.
It doesn’t matter if I define Prefix or Suffix, they never match – either in the hints nor in the users file. Here’s one of the users file I tried:
This was fixed in 2.1.0, I think. Try upgrading to the latest available version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allright, I think I missed something. Restarting with the default configuration and just altering the users and hints file I get the desired behaviour as follows (shortened): rad_recv: Access-Request packet from host ... port 2263, id=53, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 4 ++[preprocess] returns ok ... [files] users: Matched entry DEFAULT at line 1 [files] expand: %{Stripped-User-Name} -> peter [files] users: Matched entry peter at line 14 ++[files] returns ok ... +- entering group PAP {...} [pap] login attempt with password "secret1" [pap] Using clear text password "secret1" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 53 to ... port 2263 Framed-Protocol = SLIP User-Name = "peter" Finished request 0. I also tried going back to version 2.0.4 with the same (working) configuration and the Prefix/Suffix stuff gets matched in the hints file, the logs tell me: +- entering group authorize hints: Matched DEFAULT at 1 expand: %{Stripped-User-Name} -> peter ++[preprocess] returns ok In the users file, I substitute User-Name by %{Stripped-User-Name}, but this seems not to work with version 2.0.4, although reading the logs I expect it should work: ++[unix] returns notfound users: Matched entry DEFAULT at line 7 expand: %{Stripped-User-Name} -> peter users: Matched entry Ppeter at line 15 ++[files] returns ok For reference, here are my hints and users files contents: ----- hints ------------ DEFAULT Prefix == "P", Strip-User-Name = Yes Hint = "PPP" DEFAULT Prefix == "S", Strip-User-Name = Yes Hint = "SLIP" ------------------------ ----- users ------------ DEFAULT Hint == "SLIP" Framed-Protocol = SLIP, User-Name = "%{Stripped-User-Name}", Fall-Through = Yes DEFAULT Hint == "PPP" Framed-Protocol = PPP, User-Name = "%{Stripped-User-Name}", Fall-Through = Yes "peter" Cleartext-Password := "secret1" ------------------------ Any idea what's the problem with version 2.0.4 ? Thanks for your help... Robert. -----Original Message----- From: freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org] On Behalf Of Robert Borz Sent: Saturday, December 27, 2008 10:17 AM To: 'FreeRadius users mailing list' Subject: RE: FreeRADIUS 2.0.4, Prefix/Suffix Thanks for the hint. Ok, so I grabbed the latest sources from freeradius.org, build a deb package and installed it via dpkg: # freeradius -v freeradius: FreeRADIUS Version 2.1.3, for host x86_64-pc-linux-gnu, built on Dec 27 2008 at 09:11:29 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. Looks good. But I still can't get this Prefix/Suffix stuff to work. My users get authenticated when sending authentication requests with usernames "Pjason" or "Cpeter" using NTRadPing Test Utility, but the attributes defined by the DEFAULT entries in the users file which should match the hints from the hints file doesn't get applied. Now I stripped my configuration for only what is necessary (still doesn't work): ----- radiusd.conf ----- prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius db_dir = $(raddbdir) libdir = /usr/lib/freeradius pidfile = ${run_dir}/freeradius.pid checkrad = ${sbindir}/checkrad user = freerad group = freerad listen { type = auth ipaddr = * } $INCLUDE clients.conf modules { preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users } pap { } } authorize { preprocess files pap } authenticate { Auth-Type PAP { pap } } ------------------------ ----- hints ------------ DEFAULT Prefix == "P", Strip-User-Name = Yes Hint = "PHint", Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Prefix == "C", Strip-User-Name = Yes Hint = "CHint", Service-Type = Framed-User, Framed-Protocol = SLIP ------------------------ ----- users ------------ DEFAULT Hint == "PHint" Service-Type = Framed-User, Framed-Protocol = PPP DEFAULT Hint == "CHint" Service-Type = Framed-User, Framed-Protocol = SLIP "Cpeter" Cleartext-Password := "secret1" "Pjason" Cleartext-Password := "secret2" ------------------------ Thanks, Robert. -----Original Message----- From: freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, December 27, 2008 8:50 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2.0.4, Prefix/Suffix Robert Borz wrote:
I installed FreeRADIUS version 2.0.4 on Debian Lenny from the standard package repositories and setup a simple configuration just authenticating against the users file to test this Prefix/Suffix stuff which I’ll need later in production.
It doesn’t matter if I define Prefix or Suffix, they never match – either in the hints nor in the users file. Here’s one of the users file I tried:
This was fixed in 2.1.0, I think. Try upgrading to the latest available version. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You're right, it is fixed in the current version, but there's one thing I still don't understand. Comparing the debug output... --- FreeRADIUS v2.0.4 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3402, id=32, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize hints: Matched DEFAULT at 1 ++[preprocess] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> peter ++[files] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ... --- FreeRADIUS v2.1.3 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3395, id=31, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 1 ++[preprocess] returns ok ++[mschap] returns noop [files] expand: %{Stripped-User-Name} -> peter [files] users: Matched entry peter at line 14 ++[files] returns ok ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "secret1" [pap] Using clear text password "secret1" [pap] User authenticated successfully ++[pap] returns ok ... ...it seems to me that if in the hints file Strip-User-Name is set ("yes"), in the authorize section Stripped-User-Name (if exists) will be used instead of User-Name to lookup the user. So it isn't necessary to add a statement like 'User-Name = "%{Stripped-User-Name}"' in the users or hints file to overwrite User-Name attribute supplied in the Request?
Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was fixed in later release.
Stripped-User-Name is created in both versions. If I include 'User-Name = "%{Stripped-User-Name}"' on the reply, the stripped user name (without prefix or suffix) is returned to the client. Just to make sure we're talking about the same bug... So, if User-Name and Stripped-User-Name exists, it isn't obvious to me, that Stripped-User-Name is used instead of User-Name to look up the users credentials. Is this the wanted behaviour? Nearby, for defining and matching the "Hints" value, could there be used any string or is there some convention to only use values defined in the dictionary? Thanks for your time... Robert. -----Original Message----- From: freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org] On Behalf Of tnt@kalik.net Sent: Saturday, December 27, 2008 12:19 PM To: FreeRadius users mailing list Subject: RE: FreeRADIUS 2.0.4, Prefix/Suffix
Any idea what's the problem with version 2.0.4 ?
Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was fixed in later release. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Borz wrote:
You're right, it is fixed in the current version, but there's one thing I still don't understand. Comparing the debug output...
--- FreeRADIUS v2.0.4 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3402, id=32, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize hints: Matched DEFAULT at 1
The prefix/suffix stripping doesn't work in 2.0.4.
++[preprocess] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> peter ++[files] returns noop
Because that version has a bug.
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ...
--- FreeRADIUS v2.1.3 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3395, id=31, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 1 ++[preprocess] returns ok ++[mschap] returns noop [files] expand: %{Stripped-User-Name} -> peter [files] users: Matched entry peter at line 14
Because the stripped user name does exist.
...it seems to me that if in the hints file Strip-User-Name is set ("yes"), in the authorize section Stripped-User-Name (if exists) will be used instead of User-Name to lookup the user. So it isn't necessary to add a statement like 'User-Name = "%{Stripped-User-Name}"' in the users or hints file to overwrite User-Name attribute supplied in the Request?
Just... stop. You've been told that 2.0.4 has the bug, and 2.1.3 doesn't. The debug output you've posted shows this. If you really know the in-depth explanation as to what the bug was, what side-effects it had, and how it was fixed, go read the source code.
Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was fixed in later release.
Stripped-User-Name is created in both versions. If I include 'User-Name = "%{Stripped-User-Name}"' on the reply, the stripped user name (without prefix or suffix) is returned to the client. Just to make sure we're talking about the same bug...
So, if User-Name and Stripped-User-Name exists, it isn't obvious to me, that Stripped-User-Name is used instead of User-Name to look up the users credentials. Is this the wanted behaviour?
Yes. Alan DeKok.
Alan, please excuse my foolery. I just had a look at the changelog and into the source of the preprocessor and files module, but because I'm currently not in, I'm doing hard. ;-) If it's the wanted behaviour that %{Stripped-User-Name} is used over %{User-Name} to lookup users that's everything I need to know, yet. I assume this behaviour is different depending on the modules used for authorization and their configuration. That's it I wanted to know. I'm not just a user, I'm a developer too and so I'll try to get a better understanding about what's happening behind the scenes. But currently I'm really new to RADIUS and FreeRADIUS in special... So long, Robert. -----Original Message----- From: freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, December 27, 2008 2:50 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2.0.4, Prefix/Suffix Robert Borz wrote:
You're right, it is fixed in the current version, but there's one thing I still don't understand. Comparing the debug output...
--- FreeRADIUS v2.0.4 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3402, id=32, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize hints: Matched DEFAULT at 1
The prefix/suffix stripping doesn't work in 2.0.4.
++[preprocess] returns ok ++[mschap] returns noop expand: %{Stripped-User-Name} -> peter ++[files] returns noop
Because that version has a bug.
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ...
--- FreeRADIUS v2.1.3 --- rad_recv: Access-Request packet from host 84.154.9.221 port 3395, id=31, length=46 User-Name = "Speter" User-Password = "secret1" +- entering group authorize {...} [preprocess] hints: Matched DEFAULT at 1 ++[preprocess] returns ok ++[mschap] returns noop [files] expand: %{Stripped-User-Name} -> peter [files] users: Matched entry peter at line 14
Because the stripped user name does exist.
...it seems to me that if in the hints file Strip-User-Name is set ("yes"), in the authorize section Stripped-User-Name (if exists) will be used instead of User-Name to lookup the user. So it isn't necessary to add a statement like 'User-Name = "%{Stripped-User-Name}"' in the users or hints file to overwrite User-Name attribute supplied in the Request?
Just... stop. You've been told that 2.0.4 has the bug, and 2.1.3 doesn't. The debug output you've posted shows this. If you really know the in-depth explanation as to what the bug was, what side-effects it had, and how it was fixed, go read the source code.
Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was fixed in later release.
Stripped-User-Name is created in both versions. If I include 'User-Name = "%{Stripped-User-Name}"' on the reply, the stripped user name (without prefix or suffix) is returned to the client. Just to make sure we're talking about the same bug...
So, if User-Name and Stripped-User-Name exists, it isn't obvious to me, that Stripped-User-Name is used instead of User-Name to look up the users credentials. Is this the wanted behaviour?
Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Borz wrote:
Alan,
please excuse my foolery. I just had a look at the changelog and into the source of the preprocessor and files module, but because I'm currently not in, I'm doing hard. ;-)
If it's the wanted behaviour that %{Stripped-User-Name} is used over %{User-Name} to lookup users that's everything I need to know, yet. I assume this behaviour is different depending on the modules used for authorization and their configuration. That's it I wanted to know.
Yes. Otherwise, you would have to list "bob", and "Pbob", and "Sbob", etc.
I'm not just a user, I'm a developer too and so I'll try to get a better understanding about what's happening behind the scenes. But currently I'm really new to RADIUS and FreeRADIUS in special...
That's OK. Alan DeKok.
participants (3)
-
Alan DeKok -
Robert Borz -
tnt@kalik.net