Upgrading from 1.0.2 to 2.0.0 problems
William
azander at netonecom.net
Wed Jan 16 23:27:58 CET 2008
On Wednesday 16 January 2008 16:58:09 Alan DeKok wrote:
> William wrote:
> > The situation is that we have a lot of legacy users who only enter a
> > username, without realm information, and passwords for their connections.
> > Those work fine. When newer users enter username at realm for their
> > password I need to strip off the realm, and authenticate that user.
>
> In 2.0, add the following to proxy.conf:
>
> realm example.com {
> }
>
> Once that's done, the default configuration in 2.0 will treat
> "user at example.com" the same as "user". See the debug output, where it
> shows it stripping the realm.
>
> > Our old system used the strip directive to do this. I cannot figure out
> > how 2.0 does this. The problem becomes that if they put a different
> > realm on the username, we will need to either proxy it (later
> > configuration issue, not for now) or reject it.
>
That causes anyone using username at realm.com to fail, yet if they just use
username it works. (Debug output below)
rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=35,
length=62
User-Name = "test"
User-Password = "mytest4"
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Framed-Protocol = PPP
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: %{Stripped-User-Name:-%{User-Name}} -> test
users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "mytest4"
rlm_pap: Using CRYPT encryption.
rlm_pap: User authenticated successfully
++[pap] returns ok
Login OK: [test/mytest4] (from client flyer port 0)
Sending Access-Accept of id 35 to 192.168.1.64 port 32775
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 35 with timestamp +7
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.64 port 32775, id=43,
length=76
User-Name = "test at netonecom.net"
User-Password = "mytest4"
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Framed-Protocol = PPP
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
rlm_realm: Looking up realm "netonecom.net" for User-Name
= "test at netonecom.net"
rlm_realm: Found realm "netonecom.net"
rlm_realm: Adding Stripped-User-Name = "test"
rlm_realm: Proxying request from user test to realm netonecom.net
rlm_realm: Adding Realm = "netonecom.net"
rlm_realm: Authentication realm is LOCAL.
++[suffix] returns noop
WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
expand: %{Stripped-User-Name:-%{User-Name}} -> test
users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Login incorrect: [test at netonecom.net/mytest4] (from client flyer port 0)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> test at netonecom.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 43 to 192.168.1.64 port 32775
Waking up in 4.9 seconds.
More information about the Freeradius-Users
mailing list