Freeradius LDAP weird login issue

cktan cktan at ocesb.com.my
Wed May 20 12:19:38 CEST 2009 

Dear Alan,

The freeradius version is Version 1.0.1. I will try to upgrade to the 
latest version to see whether it fix. Thank for your suggestion.

Regards

Alan DeKok wrote:
> cktan wrote:
>   
>> Hi all,
>>
>> I'm using freeradius+LDAP for the PPPoE dialup access control for a
>> while. Lately I noticed there is weird issue whereby an user login with
>> username as "user=5C=5C=5C=5Cuser at domain" and surprisingly freeradius
>> allow it to login although the actual username should be "user at domain".
>>     
>
>   FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP
> if it's OK.
>
>   
>> I've run radius in -X mode and capture the log for your reference as
>> below. In radiusd -X, we noticed server received Access-Request with
>> username "user=5C=5C=5C=5Cuser at domain" but when reach to radius_xlat,
>> the uid will become "user" only and when it query my LDAP the account
>> for "user" is available and it will accept the access request.
>>     
>
>   The "radius_xlat" doesn't delete '=5C' from the User-Name.
>
>   
>> The question is why "user=5C=5C=5C=5Cuser" = "user"?
>>     
>
>  If the User-Name is that in the Access-Request, it's because that's
> what the user typed.  The usual reason for the user typing this is
> because that are trying to cheat you.
>
>   
>> We try the username
>> with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because
>> radius will take as user at domain. 
>>     
>
>    I'm not sure I agree.
>
>   
>> After login, the username in radacct
>> will become "user=5C=5C=5C=5Cuser at domain" instead of "user at domain". As
>> the consequence, the smart user may have multiple logins (by using
>> user=1C/2C/3C....) and the records in radacct is different and therefore
>> we will out of control for multiple login with single account. Any idea
>> to fix this?
>>     
>
>   Which version of FreeRADIUS are you running?  I suspect that it's
> older than 1.1.7, which means it's a bug that was fixed *many* years ago.
>
>   Upgrade to 2.1.6, and the problem will go away.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090520/00e5a999/attachment.html>

More information about the Freeradius-Users mailing list