Errors authenticating certain users.
Migo Pod
migopod at gmail.com
Tue Dec 29 18:52:17 CET 2015
In proxy.conf all of the defined realms have nostrip included, and the only
thing I can find that explicitly rewrites anything is a directive in the
NULL realm that sets Stripped-User-Name to mschap:User-Name when the
User-Name matches a /host\/[^\.].(.+)/ regex, and that's been in there
since at least 2013. I've tried removing that clause from the realm and it
didn't appear to affect anything. Other than that, I can't find anything
that sets User-Name to anything at all.
Of course things changed on the 16th when updates ran, but none of the
files in /etc/raddb were modified since yum doesn't overwrite modified
files, and the rpm chagnelogs aren't being particularly helpful.
Thanks,
-mat
On Tue, Dec 29, 2015 at 10:59 AM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod at gmail.com> wrote:
> >
> > The change would have been whatever changed with yum-update, which ran on
> > the 16th, and did include the freeradius, freeradius-utils and
> > freeradius-mysql packages, but according to the RedHat change logs those
> > packages were updated in September to fix the miscalculated MPPE keys
> with
> > TLS 1.2 and nothing beyond that.
>
> Clearly there was something beyond that.
>
> > Full debug:
> > Waking up in 2.6 seconds.
> > rad_recv: Access-Request packet from host 172.18.255.6 port 20002,
> id=254,
> > length=162
> > NAS-Port-Id = "AP1306/2"
> > Calling-Station-Id = "6C-88-14-54-69-28"
> > Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
> > Service-Type = Framed-User
> > EAP-Message = 0x020100120141445c706f6469612d75736572
> > User-Name = "AD\\podia-user"
>
> Which shows that the User-Name is correct.
>
> > NAS-Port = 64901
> > NAS-Port-Type = Wireless-802.11
> > NAS-IP-Address = 172.18.255.6
> > NAS-Identifier = "Juniper"
> > Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
> > # Executing section authorize from file /etc/raddb/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "podia-user", looking up realm NULL
> > [suffix] Found realm "NULL"
> > [suffix] Adding Realm = "NULL"
> > [suffix] Authentication realm is LOCAL.
> > ++[suffix] = ok
>
> Something there is re-writing the User-Name to remove the "AD" portion.
>
> Check the configuration of the "suffice" module. Does it have "strip =
> yes" ?
>
> > [eap] EAP packet type response id 1 length 18
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] = updated
> > [files] users: Matched entry DEFAULT at line 50
>
> Does that entry strip the user name?
> >
> > [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
>
> The User-Name has been re-written from "AD\podia-user" to "podia-user".
> It doesn't happen by magic. Something has updated it.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list