Update User-Name

Sat Sep 9 16:11:22 CEST 2017

FreeRADIUS Version 3.0.4

I wish to modify the User-Name attribute in access-requests by
appending the realm, but if I do that, FreeRADIUS refuses to proxy the
request.

I added the following to /etc/raddb/sites-enabled/default:

authorize {

if("%{User-Name}" !~ /@/) {
        update request {
                User-Name := "%{User-Name}@uni.ac.uk"
Realm := "eduroam"
        }
...

radiusd -X output:

Ready to process requests
Received Access-Request Id 0 from 10.10.200.254:36488 to
10.10.2.53:1812 length 148
        User-Name = 'testuser'
        NAS-IP-Address = 6.71.67.224
        Calling-Station-Id = '00-00-00-00-00-02'
        Called-Station-Id = '88-15-44-47-43-E0:TEST'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 11Mbps 802.11b'
        EAP-Message = 0x0200000d01756e697431323334
        Message-Authenticator = 0xca24c7b4bfe0fa73b421bc8c9c1e29a5
(0) Received Access-Request packet from host 10.10.200.254 port 36488,
id=0, length=148
(0)     User-Name = 'testuser'
(0)     NAS-IP-Address = 6.71.67.224
(0)     Calling-Station-Id = '00-00-00-00-00-02'
(0)     Called-Station-Id = '88-15-44-47-43-E0:TEST'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 11Mbps 802.11b'
(0)     EAP-Message = 0x0200000d01756e697431323334
(0)     Message-Authenticator = 0xca24c7b4bfe0fa73b421bc8c9c1e29a5
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)    if ("%{User-Name}" !~ /@/)
(0) EXPAND %{User-Name}
(0)    --> testuser
(0)    if ("%{User-Name}" !~ /@/)  -> TRUE
(0)   if ("%{User-Name}" !~ /@/)  {
(0)    update request {
(0) EXPAND %{User-Name}@uni.ac.uk
(0)    --> testuser at uni.ac.uk
(0)     User-Name := "testuser at uni.ac.uk"
(0)     Realm := 'eduroam'
(0)    } # update request = noop
(0)   } # if ("%{User-Name}" !~ /@/)  = noop
(0)   filter_username filter_username {
(0)     if (!&User-Name)
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /)
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ )
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ )
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (&User-Name =~ /\\.$/)
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = noop
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Request already has destination realm set.  Ignoring
(0)   [suffix] = noop
(0)  eap : Peer sent code Response (2) ID 0 length 13
(0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0)  eap : Identity does not match User-Name, setting from EAP Identity
(0)  eap : Failed in handler
(0)   [eap] = invalid
(0)  } #  authenticate = invalid
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0)  attr_filter.access_reject : EXPAND %{User-Name}
(0)  attr_filter.access_reject :    --> testuser at uni.ac.uk
(0)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0)  eap : Identity does not match User-Name, setting from EAP Identity
(0)  eap : Failed to get handler, probably already removed, not
inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message)
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.

Suggestions greatly appreciated.