Freeradius LDAP weird login issue
Alan DeKok
aland at deployingradius.com
Wed May 20 12:01:01 CEST 2009
cktan wrote:
> Hi all,
>
> I'm using freeradius+LDAP for the PPPoE dialup access control for a
> while. Lately I noticed there is weird issue whereby an user login with
> username as "user=5C=5C=5C=5Cuser at domain" and surprisingly freeradius
> allow it to login although the actual username should be "user at domain".
FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP
if it's OK.
> I've run radius in -X mode and capture the log for your reference as
> below. In radiusd -X, we noticed server received Access-Request with
> username "user=5C=5C=5C=5Cuser at domain" but when reach to radius_xlat,
> the uid will become "user" only and when it query my LDAP the account
> for "user" is available and it will accept the access request.
The "radius_xlat" doesn't delete '=5C' from the User-Name.
> The question is why "user=5C=5C=5C=5Cuser" = "user"?
If the User-Name is that in the Access-Request, it's because that's
what the user typed. The usual reason for the user typing this is
because that are trying to cheat you.
> We try the username
> with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because
> radius will take as user at domain.
I'm not sure I agree.
> After login, the username in radacct
> will become "user=5C=5C=5C=5Cuser at domain" instead of "user at domain". As
> the consequence, the smart user may have multiple logins (by using
> user=1C/2C/3C....) and the records in radacct is different and therefore
> we will out of control for multiple login with single account. Any idea
> to fix this?
Which version of FreeRADIUS are you running? I suspect that it's
older than 1.1.7, which means it's a bug that was fixed *many* years ago.
Upgrade to 2.1.6, and the problem will go away.
Alan DeKok.
More information about the Freeradius-Users
mailing list