FreeRADIUS 2.0.4, Prefix/Suffix

Robert Borz robert.borz at web.de
Sat Dec 27 14:35:35 CET 2008 

You're right, it is fixed in the current version, but there's one thing I still don't understand. Comparing the debug output...

--- FreeRADIUS v2.0.4 ---
rad_recv: Access-Request packet from host 84.154.9.221 port 3402, id=32, length=46
        User-Name = "Speter"
        User-Password = "secret1"
+- entering group authorize
  hints: Matched DEFAULT at 1
++[preprocess] returns ok
++[mschap] returns noop
        expand: %{Stripped-User-Name} -> peter
++[files] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
...

--- FreeRADIUS v2.1.3 ---
rad_recv: Access-Request packet from host 84.154.9.221 port 3395, id=31, length=46
        User-Name = "Speter"
        User-Password = "secret1"
+- entering group authorize {...}
[preprocess]   hints: Matched DEFAULT at 1
++[preprocess] returns ok
++[mschap] returns noop
[files]         expand: %{Stripped-User-Name} -> peter
[files] users: Matched entry peter at line 14
++[files] returns ok
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "secret1"
[pap] Using clear text password "secret1"
[pap] User authenticated successfully
++[pap] returns ok
...

...it seems to me that if in the hints file Strip-User-Name is set ("yes"), in the authorize section Stripped-User-Name (if exists) will be used instead of User-Name to lookup the user. So it isn't necessary to add a statement like 'User-Name = "%{Stripped-User-Name}"' in the users or hints file to overwrite User-Name attribute supplied in the Request?

> Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was
> fixed in later release.

Stripped-User-Name is created in both versions. If I include 'User-Name = "%{Stripped-User-Name}"' on the reply, the stripped user name (without prefix or suffix) is returned to the client. Just to make sure we're talking about the same bug...

So, if User-Name and Stripped-User-Name exists, it isn't obvious to me, that Stripped-User-Name is used instead of User-Name to look up the users credentials. Is this the wanted behaviour?

Nearby, for defining and matching the "Hints" value, could there be used any string or is there some convention to only use values defined in the dictionary?


Thanks for your time...

Robert.


-----Original Message-----
From: freeradius-users-bounces+robert.borz=web.de at lists.freeradius.org [mailto:freeradius-users-bounces+robert.borz=web.de at lists.freeradius.org] On Behalf Of tnt at kalik.net
Sent: Saturday, December 27, 2008 12:19 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2.0.4, Prefix/Suffix

>Any idea what's the problem with version 2.0.4 ?

Yes. Stripped-User-Name wasn't created. And as Alan pointed out - it was
fixed in later release.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list