Realm parsing and \r => =0D

Rich Graves rgraves at carleton.edu
Wed Aug 24 04:38:17 CEST 2011 

I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam. 

Within a day, I had the configuration I wanted, or so I thought.

Empty stanzas for realms user at carleton.edu, ADS\user, and bare username get authenticated with mschapv2.
Otherwise, regex realm *@*.* gets routed to the eduroam upstream radius hierarchy.

I configured bufffered-sql for logging.

It all "works." Except... I noticed that my entries appeared in SQL-land as ADS=0Dgraves. So, it seems that the ADS\ realm is recognized (successfully authenticated locally, not sent to eduroam), but not stripped. Worse, the \r in ADS\rgraves is interpreted as a carriage return by the time it gets to SQL-User-Name.

I guess my conclusion is that I am very confused about where realms get configured, and which entries in the example config files are examples and which are metareferences to other code. 

Is the "realm ntdomain" that appears in modules/realm, with a commented-out reference in sites-available/default, an example of handling an example NT Domain named "ntdomain," or is it a directive analogous to format = suffix? I was sure of the former, but am less sure now. "suffix" is overloaded as both a format type and as a example realm that happens to be of type suffix, right?

I'm pretty sure that I need ADS, carleton.edu, and null to be recognized in proxy.conf, to distinguish what goes to inner-tunnel from what does to eduroam upstream; and I am pretty sure that I need carleton.edu stripped in or before inner-tunnel. MSCHAPv2 will accept both ADS\username and username, so it's not critical to strip the former. However, it seems critical that ADS\ be stripped or more thoroughly escaped before or during transformation of sql_user_name to SQL-User-Name, because rendering ADS\rgraves as ADS=0Dgraves is just wrong.

I am also very confused about whether and where I want "ignore-null = yes." It's mentioned in the shipped modules/realms but not in proxy.conf.

The realm stanzas I have thus far are below. inner-tunnel, default, and buffered-sql are pretty much as shipped, except for the obvious DB configuration.

realm ADS {
        format = prefix
        delimiter = '\\'
        accthost = LOCAL
        authhost = LOCAL
}
realm carleton.edu {
        format = suffix
        delimiter = "@"
        accthost = LOCAL
        authhost = LOCAL
}
realm "~.*\\..*" { {
        format = suffix
        delimiter = "@"
        accthost = eduroam1.ns.utk.edu
        authhost = eduroam1.ns.utk.edu
        secret = notpostedhere
        nostrip
}
# This could probably just be realm NULL
realm DEFAULT {
        type = radius
        accthost = LOCAL
        authhost = LOCAL
}

At the point where I realized I was turning things on and off just to see if radiusd -X would run, I decided that I should stick with clear, simple things like sendmail.cf, and ask for pointers.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

More information about the Freeradius-Users mailing list