Prefix/Suffix not working (FR 2.0.5, CentOS 5, System Auth)
Steve Weaver
sweaver at inetnebr.com
Tue Aug 12 23:10:12 CEST 2008
I tried this with no change, both with using the hints file and without.
-SW
Ivan Kalik writes:
>
> You need to add User-Name := Stripped-User-Name to your users file entry
> in order to replace it with stripped value.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 12/8/2008, "Steve Weaver" <sweaver at inetnebr.com> pi¹e:
>
> >I'm having a strange problem I hope you can help me figure out. We're
> >finally moving from an ancient Livingston RADIUS to FreeRADIUS.
> >
> >I compiled and installed version 2.0.5 on a freshly installed CentOS 5
> >box, read all the documentation I could find, installed our old users
> >file and adapted it until it now (mostly) works correctly.
> >
> >System info:
> >
> ># radiusd -v
> >radiusd: FreeRADIUS Version 2.0.5, for host i686-redhat-linux-gnu,
> >built on Aug 5 2008 at 15:40:15
> >
> ># uname -a
> >Linux ****.*******.com 2.6.18-92.1.6.el5 #1 SMP Wed Jun 25 13:49:24 EDT
> >2008 i686 i686 i386 GNU/Linux
> >
> >The problem I'm having is that we have a lot of legacy users still
> >logging in with "Pusername" for PPP connections. I've tried to set it
> >up in both the users file and the hints file (separately) and get the
> >same result. No matter what I do, it tries to authenticate (System
> >auth type) the username "Pusername" instead of "username".
> >
> >If I add a user named "Pusername" everything works correctly. It hits
> >the right default entry and authenticates fine, so it's just not
> >stripping off the "P" when authenticating. I have also tried suffixes
> >(".ppp") to test if it was just the prefix that wasn't working. Same
> >problem.
> >
> >We're not using any realms, proxying, LDAP, SQL, etc at this time.
> >Just a very simple single RADIUS server reading from a users file and
> >authenticating against the system password file.
> >
> >I first tried to set it up in the users file. I commented out
> >everything in the hints file. Here's what the DEFAULT entry looks like
> >in the users file:
> >
> >DEFAULT Auth-Type := System, Prefix == "P"
> > User-Service-Type = Framed-User,
> > Session-Timeout = 36000,
> > Idle-Timeout = 600,
> > Port-Limit = 1,
> > Framed-Protocol = PPP,
> > Framed-Address = 255.255.255.254,
> > Framed-Netmask = 255.255.255.255,
> > Framed-Routing = None,
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP
> >
> >I attempt to authenticate:
> >
> ># radtest Psweaver ******** localhost 0 testing123
> >Sending Access-Request of id 43 to 127.0.0.1 port 1645
> > User-Name = "Psweaver"
> > User-Password = "********"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> >rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=43,
> >length=20
> >
> >Things are working otherwise; without the "P" it works fine:
> >
> ># radtest sweaver ******** localhost 0 testing123
> >Sending Access-Request of id 223 to 127.0.0.1 port 1645
> > User-Name = "sweaver"
> > User-Password = "********"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> >rad_recv: Access-Accept packet from host 127.0.0.1 port 1645, id=223,
> >length=56
> > Session-Timeout = 36000
> > Idle-Timeout = 600
> > Port-Limit = 1
> > Service-Type = Login-User
> > Login-IP-Host = ***.***.***.***
> > Login-Service = Rlogin
> >
> >With the "P", here's the output of radiusd -X
> >
> >rad_recv: Access-Request packet from host 127.0.0.1 port 35915, id=175,
> >length=6
> >0
> > User-Name = "Psweaver"
> > User-Password = "********"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> >+- entering group authorize
> >++[preprocess] returns ok
> > expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> >rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> > expand: %t -> Tue Aug 12 10:10:44 2008
> >++[auth_log] returns ok
> >++[chap] returns noop
> >++[mschap] returns noop
> > rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> >++[suffix] returns noop
> > rlm_eap: No EAP-Message, not doing EAP
> >++[eap] returns noop
> >++[unix] returns notfound
> > users: Matched entry DEFAULT at line 3526
> >++[files] returns ok
> >++[expiration] returns noop
> >++[logintime] returns noop
> >rlm_pap: WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> >++[pap] returns noop
> > rad_check_password: Found Auth-Type System
> >auth: type "System"
> >+- entering group authenticate
> >++[unix] returns notfound
> >auth: Failed to validate the user.
> > Found Post-Auth-Type Reject
> >+- entering group REJECT
> > expand: %{User-Name} -> Psweaver
> > attr_filter: Matched entry DEFAULT at line 11
> >++[attr_filter.access_reject] returns updated
> >Sending Access-Reject of id 175 to 127.0.0.1 port 35915
> >Finished request 2.
> >Going to the next request
> >Waking up in 4.9 seconds.
> >Cleaning up request 2 ID 175 with timestamp +1013
> >Ready to process requests.
> >
> >Note that it's matching line 3526, which is indeed the DEFAULT entry I
> >listed above.
> >
> >If I move prefix information to the hints file, I end up with this
> >in the hints file:
> >
> >DEFAULT Prefix == "P", Strip-User-Name = Yes
> > Hint = "PPP"
> >
> >and this in the users file:
> >
> >DEFAULT Auth-Type := System, Hint == "PPP"
> > User-Service-Type = Framed-User,
> > Session-Timeout = 36000,
> > Idle-Timeout = 600,
> > Port-Limit = 1,
> > Framed-Protocol = PPP,
> > Framed-Address = 255.255.255.254,
> > Framed-Netmask = 255.255.255.255,
> > Framed-Routing = None,
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP
> >
> >Test fails:
> >
> ># radtest Psweaver ******** localhost 0 testing123
> >Sending Access-Request of id 161 to 127.0.0.1 port 1645
> > User-Name = "Psweaver"
> > User-Password = "********"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> >rad_recv: Access-Reject packet from host 127.0.0.1 port 1645, id=161,
> >length=20
> >
> >radiusd -X output:
> >
> >rad_recv: Access-Request packet from host 127.0.0.1 port 35924, id=161,
> >length=60
> > User-Name = "Psweaver"
> > User-Password = "********"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> >+- entering group authorize
> > hints: Matched DEFAULT at 65
> >++[preprocess] returns ok
> > expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >-> /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> >rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> >expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20080812
> > expand: %t -> Tue Aug 12 10:44:04 2008
> >++[auth_log] returns ok
> >++[chap] returns noop
> >++[mschap] returns noop
> > rlm_realm: No '@' in User-Name = "Psweaver", looking up realm NULL
> > rlm_realm: No such realm "NULL"
> >++[suffix] returns noop
> > rlm_eap: No EAP-Message, not doing EAP
> >++[eap] returns noop
> >++[unix] returns notfound
> > users: Matched entry DEFAULT at line 3526
> >++[files] returns ok
> >++[expiration] returns noop
> >++[logintime] returns noop
> >rlm_pap: WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> >++[pap] returns noop
> > rad_check_password: Found Auth-Type System
> >auth: type "System"
> >+- entering group authenticate
> >++[unix] returns notfound
> >auth: Failed to validate the user.
> > Found Post-Auth-Type Reject
> >+- entering group REJECT
> > expand: %{User-Name} -> Psweaver
> > attr_filter: Matched entry DEFAULT at line 11
> >++[attr_filter.access_reject] returns updated
> >Sending Access-Reject of id 161 to 127.0.0.1 port 35924
> >Finished request 0.
> >Going to the next request
> >Waking up in 4.9 seconds.
> >Cleaning up request 0 ID 161 with timestamp +4
> >Ready to process requests.
> >
> >It hits line 65 in the hints file (my "P" entry), and line 3526 in the
> >users file (my "PPP" entry.) When using the hints file, it even logs
> >this to the detail file showing that it's been stripped:
> >
> >Tue Aug 12 10:44:04 2008
> > Packet-Type = Access-Request
> > User-Name = "Psweaver"
> > NAS-IP-Address = 127.0.0.1
> > NAS-Port = 0
> > Stripped-User-Name = "sweaver"
> > Hint = "PPP"
> >
> >Either way, everything works if I add a Psweaver entry to the password
> >file, and not if I don't.
> >
> >I'm out of ideas. Anyone have any I can borrow? :)
> >
> >TIA,
> >SW
> >--
> >Steven Weaver sweaver at inebraska.com
> >IT Director (402) 434-8680 x101
> >Internet Nebraska http://www.inebraska.com/
> >-
> >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list