Problems using EAP-TLS with freeradius version 2

Thu Feb 7 12:37:47 CET 2008

Stefan Puch wrote:
> @Arran Cudbard-Bell
>  > Write a regular expression to strip off the proceeding \
>   
>> Heres one I did earlier.... If I remember correctly it's \\\\ to escape to
>> one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
>> literal in the regular expression...
>>     
> I'm not so familiar with regular expressions, but your example works" Thank you
> very much! :-)
>
> To make the test certificate being accepted I only hat to remove the leading
> "@", beacuse the username in there is "user at example.com" and if stripped to only
> "user" not accepted by the radius server.
>   
http://www.regular-expressions.info/

This is the best reference for regular expressions, depending on the 
libraries the servers are built against, the RegExp flavour is usually 
PCRE (Perl Compatible Regular Expressions).
> # This one work with the test certificate, too
> if("%{User-Name}" =~ /\\\\?([^\\\\]+)@?([-[:alnum:]._]*)?$/) {
>                 update request {
>                         Stripped-User-Name = "%{1}"
>                 }
>  }
>
>   
/ Is the prefix and suffix to the regular expression string. Any 
characters after the / suffix are used as modifiers. FreeRadius  only 
supports the i modifier to make matches case insensitive.

\\\\ resolves to a literal back-slash. Regular expressions use the \ 
char as an escape char so it needs to be escaped with itself. FR also 
uses \ as an escape char so it has to be escaped with itself too. Hence 
the \\\\\ -> \\  -> \

This regular expression was written to stop *stupid* *stupid* *stupid* 
students from breaking authentication by entering something in the 
domain field. They kept entering sussex.ac.uk and user at sussex.ac.uk in 
the User Box in the windows supplicant, which resulted in.

sussex.ac.uk\user at domain
or sussex.ac.uk\user

The regexp parses these as :

"%{1}" = user
"%{2}" = domain

or

"%{1}" = user
"%{2}" =
>> if("%{User-Name}" =~ /\\\\?([^\\\\]+)$/) {
>> 		update request {
>> 			Stripped-User-Name = "%{1}"
>> 		 }
>> }
>>     
If you don't need the domain information separately, the above 
expression might work better for you. The \\\\? will always try to match 
the first '\' but will actually match the last '\' because of the greedy 
capture. Then the greedy capture which will capture anything but \ . 
Should also work for just straight user at domain as the '\' prefix is 
optional.

We use the domain part of the user identifier for proxying.
> Is there anywhere a more detailed HOWTO for understanding this regular
> expression? I would like to understand "fully" what this example does...
> Probably I just have to do some "googling"
>
> Now where the test certificates are working (on Win XP AND Windows Mobile) I
> will have to investigate again in my old certificates, because my one are only
> working with Windows XP supplicant and wpa_supplicant using Linux. The Windows
> Mobile supplicant cannot use them correctly although the certificates are the
> same one. Very strange!
> Finally I can start writing the HOWTO for Windows Mobile devices ;-)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900