Freeradius LDAP weird login issue

Alan DeKok aland at deployingradius.com
Wed May 20 12:01:01 CEST 2009


cktan wrote:
> Hi all,
> 
> I'm using freeradius+LDAP for the PPPoE dialup access control for a
> while. Lately I noticed there is weird issue whereby an user login with
> username as "user=5C=5C=5C=5Cuser at domain" and surprisingly freeradius
> allow it to login although the actual username should be "user at domain".

  FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP
if it's OK.

> I've run radius in -X mode and capture the log for your reference as
> below. In radiusd -X, we noticed server received Access-Request with
> username "user=5C=5C=5C=5Cuser at domain" but when reach to radius_xlat,
> the uid will become "user" only and when it query my LDAP the account
> for "user" is available and it will accept the access request.

  The "radius_xlat" doesn't delete '=5C' from the User-Name.

> The question is why "user=5C=5C=5C=5Cuser" = "user"?

 If the User-Name is that in the Access-Request, it's because that's
what the user typed.  The usual reason for the user typing this is
because that are trying to cheat you.

> We try the username
> with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because
> radius will take as user at domain. 

   I'm not sure I agree.

> After login, the username in radacct
> will become "user=5C=5C=5C=5Cuser at domain" instead of "user at domain". As
> the consequence, the smart user may have multiple logins (by using
> user=1C/2C/3C....) and the records in radacct is different and therefore
> we will out of control for multiple login with single account. Any idea
> to fix this?

  Which version of FreeRADIUS are you running?  I suspect that it's
older than 1.1.7, which means it's a bug that was fixed *many* years ago.

  Upgrade to 2.1.6, and the problem will go away.

  Alan DeKok.



More information about the Freeradius-Users mailing list