Reject user without realm

Roberto Greiner mrgreiner at gmail.com
Mon Apr 9 22:05:36 CEST 2007 

Kevin Bonner wrote:
> On Monday 09 April 2007 14:32:31 Marcos Roberto Greiner wrote:
>   
>> The problem I'm having is that if a user adds no realm, only the user,
>> the server is autenticating locally. I wanted it to deny the
>> authentication. How should I proceed?
>>     
>
> A username with no realm will match the NULL realm.  You can reject NULL 
> realms with:
>
> == users ==
> DEFAULT Realm == "NULL", Auth-Type := Reject
> == users ==
>
>   
>> hints file. Added only the following entry:
>> # The following entry is to be authenticated locally
>> DEFAULT Suffix == "@domain1.com", Strip-User-Name = Yes
>>         Hint = "PPP",
>>         Service-Type = Framed-User,
>>         Framed-Protocol = PPP
>>     
>
> A realm definition for domain1.com and a small users file entry should do the 
> same thing, as long as you don't add the nostrip option for the realm.
>   
The problem here was that I couldn't find the proper entry to add to the
users file :-(
>   
>> rad_recv: Access-Request packet from host a.b.c.d:3793, id=0, length=58
>>         User-Name = "user at provider1.com"
>>         User-Password = "user"
>>   Processing the authorize section of radiusd.conf
>> modcall: entering group authorize for request 0
>>   hints: Matched DEFAULT at 36
>>   modcall[authorize]: module "preprocess" returns ok for request 0
>>   modcall[authorize]: module "chap" returns noop for request 0
>>   modcall[authorize]: module "mschap" returns noop for request 0
>>     rlm_realm: No '@' in User-Name = "user", looking up realm NULL
>>     rlm_realm: No such realm "NULL"
>>     
>
> This request matches the NULL realm, which should be impossible based on your 
> configuration and the description of how the NULL realm works.  The User-Name 
> has a realm in this request, so it should match the DEFAULT realm if it is 
> defined.  Since the hints file matched at line 36 here, I assume you actually 
> configured provider1.com instead of domain1.com in your hints file.
>
> Is this assumption correct?  If not, what is in your hints file at line 36?
>
> Kevin Bonner
>   
I mistyped domain1 and provider1. The entry at line 36 is provider1. The
Hints file I wrote incorrectly in the explanation. It actually contains
provider1.

I tried to change the 'Strip-User-Name = Yes' to 'Strip-User-Name = NO'
in the Hints file, but got the problem that I didn't know what would be
to correct entry in the users file. With the change, with the @provider1
domain, the server is replying properly, but without domain, the server
didn't replying at all.

I then tried your suggestion of adding the 'DEFAULT Realm == "NULL",
Auth-Type := Reject' entry. Same case as above. Without a domain, the
server simply didn't answer, not even a with a reject.

BUT, looking at the debug output of Radius -X I found the missing piece. In the proxy.conf file, the NULL entry was commented. I removed the comments, pointed it to LOCAL, and the entry you suggested for the users file (DEFAULT Realm == "NULL") kicked in. It's now working as desired.

Thank you for your help,

Marcos Roberto Greiner

-- 
  -----------------------------------------------------
                Marcos Roberto Greiner

   Os otimistas acham que estamos no melhor dos mundos
    Os pessimistas tem medo de que isto seja verdade
                                       Murphy
  -----------------------------------------------------

More information about the Freeradius-Users mailing list