In auth request packet, Stripped-User-Name attribute value wrongly rewritten by radius server

Adarsha S s.adarsha at gmail.com
Mon Apr 7 09:58:46 CEST 2014


Hi,

I'm currently using free radius server versioned 2.1.12
[freeradius-server-2.1.12].

I'm having a setup where clients get authenticated by Windows AD 2003 server.
It uses stripped-user-name attribute.
I'm having free radius 2.1.12 as the radius server.
The username are provided as DomainName\Username.
Various combination of Domain name and user name worked but when ever
the username starts with "t" or "n" the authentication failed.

Network capture showed that the backslash delimiter between domain and
username combined with specific letters are translated to special
characters.

\n = new line
\r = return
\t = tab

Eg:

During authentication, the usernames goes as "DOMAIN\timcopy. We are
supposed to strip the domain name along with the "\" and populate the
sAMAccount name with the username timcopy.
But the username gets converted as "DOMAIN  imcopy" which is then used
as the sAMAccount name.

I was getting the authentication problem when I used "timcopy" as the
username and success when I used "kiran" as the username.


On further looking into code could make out ,
On receiving the request packet at radius server side, rlm is adding
the the new attribute stripped-user-name [attr number 1043] and
updating the value as "DOMAIN  imcopy"

Here \timcopy got converted as "<tab space>imcopy"

Please let me know the solution for this problem.

Thanks,
Adarsha


More information about the Freeradius-Users mailing list