New User and AD Question

McNutt, Justin M. McNuttJ at missouri.edu
Tue Mar 1 17:36:53 CET 2011 

> > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {

Something's wrong with the regex here.  From the config:

if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {

>From radiusd -X:

        User-Name = "host/dnps-caplap-4.col.missouri.edu"
...
? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -> FALSE

I removed the ^ and $ anchors and got better results, but still not working:

+- entering group authorize {...}
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i )
? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE
++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...}
+++[control] returns notfound
++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++[preprocess] returns ok

Here's the code it's trying to execute.  There must be something wrong with the update control section:

        if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
                update control {
                        Proxy-To-Realm := %{2}
                }
        }

This looks related:

WARNING: You set Proxy-To-Realm = %{2}, but the realm does not exist!  Cancelling invalid proxy request.

I changed the %{2} to $2, but it does basically the same thing:

WARNING: You set Proxy-To-Realm = $2, but the realm does not exist!  Cancelling invalid proxy request.

Here's more context as to what it's doing.  Basically, the User-Name and NT-Domain (nor realm) are getting changed into something usable by ntlm_auth.

rad_recv: Access-Request packet from host 128.206.131.253 port 20007, id=9, length=209
        NAS-Port-Id = "AP85/1"
        Calling-Station-Id = "00-90-4B-2F-80-B4"
        Called-Station-Id = "5C-E2-86-00-15-C0:Eddies Office"
        Service-Type = Framed-User
        EAP-Message = 0x0201002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475
        User-Name = "host/dnps-caplap-4.col.missouri.edu"
        NAS-Port = 479
        NAS-Port-Type = Wireless-802.11
        NAS-IP-Address = 128.206.131.253
        NAS-Identifier = "nortel"
        Message-Authenticator = 0xa6b9a66a7a99f19b8adc326da2ad0052
server campus-eap {
+- entering group authorize {...}
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i )
? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE
++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...}
+++[control] returns notfound
++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] Request is supposed to be proxied to Realm $2.  Not doing EAP.
++[eap] returns noop
++[unix] returns notfound
[files]         expand: %{Client-IP-Address} -> 128.206.131.253
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: DC=edu -> DC=edu
[files]         expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[files]         expand: %{Client-IP-Address} -> 128.206.131.253
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: DC=edu -> DC=edu
[files]         expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = $2, but the realm does not exist!  Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Login incorrect: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 479 cli 00-90-4B-2F-80-B4)
} # server campus-eap
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> host/dnps-caplap-4.col.missouri.edu
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 43 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 43
Sending Access-Reject of id 9 to 128.206.131.253 port 20007
Waking up in 4.9 seconds.

More information about the Freeradius-Users mailing list