Proxy Question
Reynold McGuire
rmcguire at suffolk.edu
Mon Apr 24 14:18:22 CEST 2006
It gets to the pre-proxy, adds the domain after the user name, but doesn't
strip out the 'DOMAIN\\\\'
Do you see any evidence that the 'ntdomain' is actually doing anything? I
don't see much of anything except the one line 'modcall[authorize]: module
"ntdomain" returns updated for request 0'
Any other ideas Phil / Group?
Thanks,
-Reynold
---CUT---
--- Walking the entire request list ---
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
Waking up in 5 seconds...
hreads: total/active/spare threads = 5/1/4
User-Name = "adm.suffolk.edu\\rmcguire"
NAS-IP-Address = 172.16.73.1
NAS-Port = 2
Framed-MTU = 1400
Called-Station-Id = "00:04:96:28:fe:08"
Calling-Station-Id = "00:90:96:b0:a4:45"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "WM1000"
EAP-Message =
0x0200001d0161646d2e737566666f6c6b2e6564755c726d636775697265
Message-Authenticator = 0x5110bd2828db2b4dfc020776f8d17989
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "adm.suffolk.edu\rmcguire", skipping
NULL due to config.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: Looking up realm "adm.suffolk.edu" for User-Name =
"adm.suffolk.edu\rmcguire"
rlm_realm: Found realm "adm.suffolk.edu"
rlm_realm: Proxying request from user rmcguire to realm adm.suffolk.edu
rlm_realm: Adding Realm = "adm.suffolk.edu"
rlm_realm: Preparing to proxy authentication request to realm
"adm.suffolk.edu"
modcall[authorize]: module "ntdomain" returns updated for request 0
rlm_eap: Request is supposed to be proxied to Realm adm.suffolk.edu. Not
doing EAP.
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 0
preproxy_users: Matched entry DEFAULT at line 18
radius_xlat: 'adm.suffolk.edu\\rmcguire at adm.suffolk.edu'
modcall[pre-proxy]: module "files" returns ok for request 0
modcall: leaving group pre-proxy (returns ok) for request 0
Sending Access-Request of id 0 to 10.18.1.37 port 1812
User-Name := "adm.suffolk.edu\\\\rmcguire at adm.suffolk.edu"
NAS-IP-Address = 172.16.73.1
NAS-Port = 2
Framed-MTU = 1400
Called-Station-Id = "00:04:96:28:fe:08"
Calling-Station-Id = "00:90:96:b0:a4:45"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "WM1000"
EAP-Message =
0x0200001d0161646d2e737566666f6c6b2e6564755c726d636775697265
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313330
Thread 1 waiting to be assigned a request
rad_recv: Access-Reject packet from host 10.18.1.37:1812, id=0, length=25
--- Walking the entire request list ---
Thread 2 got semaphore
Thread 2 handling request 0, (1 handled so far)
Waking up in 5 seconds...
Proxy-State = 0x313330
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: leaving group post-proxy (returns noop) for request 0
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Thread 2 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.8.1.254:32933, id=130,
length=165
--- Walking the entire request list ---
Thread 3 got semaphore
Thread 3 handling request 1, (1 handled so far)
Waking up in 5 seconds...
User-Name = "adm.suffolk.edu\\rmcguire"
NAS-IP-Address = 172.16.73.1
NAS-Port = 2
Framed-MTU = 1400
Called-Station-Id = "00:04:96:28:fe:08"
Calling-Station-Id = "00:90:96:b0:a4:45"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "WM1000"
EAP-Message =
0x0200001d0161646d2e737566666f6c6b2e6564755c726d636775697265
Message-Authenticator = 0x65a0798a34907e0f9887a10acdd53806
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "adm.suffolk.edu\rmcguire", skipping
NULL due to config.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_realm: Looking up realm "adm.suffolk.edu" for User-Name =
"adm.suffolk.edu\rmcguire"
rlm_realm: Found realm "adm.suffolk.edu"
rlm_realm: Proxying request from user rmcguire to realm adm.suffolk.edu
rlm_realm: Adding Realm = "adm.suffolk.edu"
rlm_realm: Preparing to proxy authentication request to realm
"adm.suffolk.edu"
modcall[authorize]: module "ntdomain" returns updated for request 1
rlm_eap: Request is supposed to be proxied to Realm adm.suffolk.edu. Not
doing EAP.
modcall[authorize]: module "eap" returns noop for request 1
users: Matched entry DEFAULT at line 153
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
Processing the pre-proxy section of radiusd.conf
modcall: entering group pre-proxy for request 1
preproxy_users: Matched entry DEFAULT at line 18
radius_xlat: 'adm.suffolk.edu\\rmcguire at adm.suffolk.edu'
modcall[pre-proxy]: module "files" returns ok for request 1
modcall: leaving group pre-proxy (returns ok) for request 1
Sending Access-Request of id 1 to 10.18.1.37 port 1812
User-Name := "adm.suffolk.edu\\\\rmcguire at adm.suffolk.edu"
NAS-IP-Address = 172.16.73.1
NAS-Port = 2
Framed-MTU = 1400
Called-Station-Id = "00:04:96:28:fe:08"
Calling-Station-Id = "00:90:96:b0:a4:45"
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "WM1000"
EAP-Message =
0x0200001d0161646d2e737566666f6c6b2e6564755c726d636775697265
Message-Authenticator = 0x00000000000000000000000000000000
Proxy-State = 0x313330
Thread 3 waiting to be assigned a request
rad_recv: Access-Reject packet from host 10.18.1.37:1812, id=1, length=25
Waking up in 5 seconds...
Thread 4 got semaphore
Thread 4 handling request 1, (1 handled so far)
Proxy-State = 0x313330
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 1
modcall[post-proxy]: module "eap" returns noop for request 1
modcall: leaving group post-proxy (returns noop) for request 1
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Thread 4 waiting to be assigned a request
--- Walking the entire request list ---
Sending Access-Reject of id 130 to 10.8.1.254 port 32933
Waking up in 1 seconds...
Threads: total/active/spare threads = 5/0/5
--- Walking the entire request list ---
---CUT---
--
=----------------------------------------=
Reynold McGuire
Network Coordinator
Suffolk University, Network Services Group
Phone: 617.994.4277
Fax: 617.573.8747
=----------------------------------------=
PGP Public Key:
http://www.suffolk.edu/nsg/pgp/
echo "send pgp key" | mail rmcguire at suffolk.edu
=----------------------------------------=
PGP Fingerprint:
5779 6011 FAC8 91EE FD93 B408 1296 F6FF CD7E
-----Original Message-----
From: freeradius-users-bounces+rmcguire=suffolk.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+rmcguire=suffolk.edu at lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: Friday, April 21, 2006 4:11 PM
To: FreeRadius users mailing list
Subject: Re: Proxy Question
Reynold McGuire wrote:
> Thanks for the reply.
>
> I forgot to mention that I had 'ntdomain' addedd to the authorize stanze.
>
> The request is getting to my IAS server, but IAS doesnt understand
> "DOMAIN\username" it does, at least in my implementation, understand
> "username at domain"...
>
Gah. Shudder.
> Is there a way to get "DOMAIN\username" converted to "username at domain"?
You could try this in /etc/raddb/preproxy_users
DEFAULT
User-Name := `%{Stripped-User-Name:-%{User-Name}}@%{Realm}`
Be sure to add the "files" module to the "pre-proxy" section in radiusd.conf
like so:
pre-proxy {
files
}
Seems to work here for me, with the exception that requests matching the
DEFAULT realm e.g. "foo\username" are sent as "username at DEFAULT" instead of
"username at foo". Annoying, but not an issue if you're explicitly spelling out
your realms.
>
> This is also using the radtest program with the following input:
>
> ./radtest "adm.suffolk.edu\\\\rmcguire" "password" 127.0.0.1 20 secret
>
>
> Here is radiusd -X
>
> root at ACAD1:5:./radiusd -X
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/proxy.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/clients.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/snmp.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/eap.conf
> Config: including file: /apps/renn/freeRadius/etc/raddb/sql.conf
> main: prefix = "/apps/renn/freeRadius"
> main: localstatedir = "/apps/renn/freeRadius/var"
> main: logdir = "/apps/renn/freeRadius/var/log/radius"
> main: libdir = "/apps/renn/freeRadius/lib"
> main: radacctdir = "/apps/renn/freeRadius/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/apps/renn/freeRadius/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/apps/renn/freeRadius/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/apps/renn/freeRadius/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /apps/renn/freeRadius/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/apps/renn/freeRadius/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = yes
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file =
> "/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file =
> "/apps/renn/freeRadius/etc/raddb/certs/cert-srv.pem"
> tls: CA_file = "/apps/renn/freeRadius/etc/raddb/certs/root.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/apps/renn/freeRadius/etc/raddb/certs/dh"
> tls: random_file = "/apps/renn/freeRadius/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
> ttls: default_eap_type = "mschapv2"
> ttls: copy_request_to_tunnel = no
> ttls: use_tunneled_reply = yes
> rlm_eap: Loaded and initialized type ttls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/apps/renn/freeRadius/etc/raddb/huntgroups"
> preprocess: hints = "/apps/renn/freeRadius/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = yes
> Module: Instantiated realm (suffix)
> realm: format = "prefix"
> realm: delimiter = "\"
> realm: ignore_default = no
> realm: ignore_null = yes
> Module: Instantiated realm (ntdomain)
> Module: Loaded files
> files: usersfile = "/apps/renn/freeRadius/etc/raddb/users"
> files: acctusersfile = "/apps/renn/freeRadius/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/apps/renn/freeRadius/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
> "/apps/renn/freeRadius/var/log/radius/radacct/%{Client-IP-Address}/det
> ail-%Y
> %m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/apps/renn/freeRadius/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp) Listening on authentication
> *:1645 Listening on accounting *:1646 Listening on proxy *:1647 Ready
> to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40,
length=76
> User-Name = "adm.suffolk.edu\\rmcguire"
> User-Password = "password"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 20
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "adm.suffolk.edu\rmcguire",
> skipping NULL due to config.
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_realm: Looking up realm "adm.suffolk.edu" for User-Name =
> "adm.suffolk.edu\rmcguire"
> rlm_realm: Found realm "adm.suffolk.edu"
> rlm_realm: Proxying request from user rmcguire to realm
adm.suffolk.edu
> rlm_realm: Adding Realm = "adm.suffolk.edu"
> rlm_realm: Preparing to proxy authentication request to realm
> "adm.suffolk.edu"
> modcall[authorize]: module "ntdomain" returns updated for request 0
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns updated) for request 0
> Sending Access-Request of id 0 to 10.18.1.37 port 1812
> User-Name = "adm.suffolk.edu\\rmcguire"
> User-Password = "t<W at mcore~!"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 20
> Proxy-State = 0x3430
> --- Walking the entire request list --- Waking up in 6 seconds...
> rad_recv: Access-Reject packet from host 10.18.1.37:1812, id=0, length=24
> Proxy-State = 0x3430
> Processing the post-proxy section of radiusd.conf
> modcall: entering group post-proxy for request 0
> modcall[post-proxy]: module "eap" returns noop for request 0
> modcall: leaving group post-proxy (returns noop) for request 0
> Delaying request 0 for 1 seconds Finished request 0 Going to the next
> request Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 127.0.0.1:34507, id=40,
> length=76 Sending Access-Reject of id 40 to 127.0.0.1 port 34507
> --- Walking the entire request list --- Waking up in 3 seconds...
> --- Walking the entire request list --- Cleaning up request 0 ID 40
> with timestamp 4448d631 Nothing to do. Sleeping until we see a
> request.
> -----Original Message-----
> From: Bjørn Mork [mailto:bjorn at mork.no]
> Sent: Friday, April 21, 2006 8:42 AM
> To: rmcguire at suffolk.edu
> Cc: FreeRadius users mailing list
> Subject: Re: Proxy Question
>
> "Reynold McGuire" <rmcguire at suffolk.edu> writes:
>
>> How can I get freeRadius to see "domain.com\username" and convert
>> that to "username at domain.com" and proxy that off?
>
> If you need both styles:
>
> modules {
> ..
> realm suffix {
> format = suffix
> delimiter = "@"
> ignore_default = no
> ignore_null = yes
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> ignore_default = no
> ignore_null = yes
> }
> ..
> }
>
> authorize {
> ..
> suffix
> ntdomain
> ..
> }
>
> Please run radiusd -X if this doesn't work,
>
>
>
> Bjørn
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list