pb with realm

Wed Feb 6 11:40:41 CET 2013

On 06/02/13 10:03, Hocine M wrote:
> Hi ,
>
> I have a problem with some user proxied.
>
> In  the accounting-request the username is stripped and realm is NULL.
>
> Why le realm is lost?

The User-Name in the accounting packets is overridden by the User-Name 
in the Access-Accept. In your case, your upstream proxy is returning a 
bare username in the Accept:

> rad_recv: Access-Accept packet from host 193.51.224.109 port 1812,
> id=223, length=182
>      User-Name = "pierre.dupont\000"

...which you then send back to the NAS:

> Sending Access-Accept of id 13 to 192.168.58.5 port 20007
>      User-Name = "pierre.dupont\000"

You can (and indeed, should) use a piece of "unlang" to re-insert / 
validate the realm in the case; we have this config:

post-proxy {

         # Clean up the reply username
         if (proxy-reply:User-Name =~ /^(.*)@.*/) {
                 # rewrite user at anything to user at theauthrealm
                 # i.e. we don't trust the reply realm
                 update proxy-reply {
                         User-Name := "%{1}@%{Realm}"
                 }
         }
         elsif (proxy-reply:User-Name) {
                 # no @ i.e. realm in the reply username
                 # append the realm used for forwarding
                 update proxy-reply {
                         User-Name := "%{proxy-reply:User-Name}@%{Realm}"
                 }
         }
         else {
                 # no reply username at all. add one
                 update proxy-reply {
                         User-Name := "%{request:User-Name}"
                 }
         }
}