Realm Strip

Dennis Xu dxu at uoguelph.ca
Wed Sep 9 17:10:21 CEST 2015


I didn't tell it to strip the realm, but I understand the default behavior is to strip the realm unless you put "nostrip"?

I had issue to use FreeRadius to authenticate to AD directly because our AD's password format is not clear-text or NT Hash. I just noticed with version 3.0, FreeRadius can use Samba to bind to Active Directory. So I think it should not care the password format in AD?

Unfortunately Cisco ACS5 cannot strip realm for AD authentication. Cisco ISE can do. 

Thank you!

---
Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
dxu at uoguelph.ca 
www.uoguelph.ca/ccs

----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: dxu at uoguelph.ca, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 9, 2015 10:01:59 AM
Subject: Re: Realm Strip

On Sep 9, 2015, at 9:48 AM, Dennis Xu <dxu at uoguelph.ca> wrote:

> This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2.

  It will not work.

> It did not work.

  See?

> ACS5 still sees the whole username(i.e, dxu at uoguelph.ca) with the suffix.
> 
> I added the following to the proxy.conf file:
> realm uoguelph.ca {
>        type = radius
>        authhost = acs5-test2.uoguelph.ca:1812
>        accthost = acs5-test2.uoguelph.ca:1813
>        secret = testing123
> }

  You didn't tell it to strip the User-Name.

  Even if you had done that, you probably would discover that there are other issues preventing it from working.  Playing games with EAP identifiers is a losing proposition.

> Did I miss anything?

  Debug output, as suggested in the FAQ, "man" page, web pages, and daily on this list?

> Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?

  If you tell it to.

  And doing so will break EAP.

  So... WHY do you need to do this?  Why not just use FreeRADIUS and Samba to talk to Active Directory?

  Or, configure ACS so that it does it's job correctly.  It should be able to strip the realms itself.  If it can't, throw it in the garbage and use FreeRADIUS.

  Alan DeKok.



More information about the Freeradius-Users mailing list