Update User-Name
Dale Lloyd
dale.lloyd at gmail.com
Sat Sep 9 20:20:44 CEST 2017
Thank you, Alan, for taking the time to reply.
> You should really use 3.0.15.
Apologies, I followed the example in the FreeRADIUS Technical Guide
and typed "yum install freeradius" and this is the version it
installed. I will go back and install 3.0.15 manually.
> No... read the debug output. The error is something else.
When testing and specifying the full username on the client e.g.
'user at uni.ac.uk', everything works. Specifying just the short username
on the client 'user' fails. Using a packet capture, I see that the
request does not get forwarded as hoped. I read the output of radiusd
-X and noticed the EAP error, but I don't know whether it is possible
to overcome it?
> If they're your users, then you should authenticate them. You don't need to edit the User-Name. You don't need to proxy.
> Describe the problem you're trying to solve.
We are a small entity next to a big university. The neighbouring
university allows its users to connect to eduroam locally without
specifying the realm in the username, but this can lead to problems
because their users are often not aware that they need to use the full
username if they wish to roam.
We get many visitors from the university and their perception is that
our wireless is broken. I want to make it easier for those visitors to
connect to eduroam, because I can't explain to all visitors that they
should user their full username. I need to proxy and I think that need
to add the realm to the username, otherwise the eduroam NRPS won't
know what to do with the request.
On 9 September 2017 at 18:03, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 9, 2017, at 10:11 AM, Dale Lloyd <dale.lloyd at gmail.com> wrote:
>>
>> FreeRADIUS Version 3.0.4
>
> You should really use 3.0.15.
>
>> I wish to modify the User-Name attribute in access-requests by
>> appending the realm, but if I do that, FreeRADIUS refuses to proxy the
>> request.
>
> No... read the debug output. The error is something else.
>
>> I added the following to /etc/raddb/sites-enabled/default:
>>
>> authorize {
>>
>> if("%{User-Name}" !~ /@/) {
>> update request {
>> User-Name := "%{User-Name}@uni.ac.uk"
>> Realm := "eduroam"
>> }
>
> The better question is why do you think this is necessary?
>
> If they're your users, then you should authenticate them. You don't need to edit the User-Name. You don't need to proxy.
>
> Or, if you do proxy, you can just set Proxy-To-Realm:
>
> if("%{User-Name}" !~ /@/) {
> update control {
> Proxy-To-Realm := "my-other-server"
> }
>
>
>> radiusd -X output:
>>
>> (0) # Executing group from file /etc/raddb/sites-enabled/default
>> (0) authenticate {
>> (0) eap : Identity does not match User-Name, setting from EAP Identity
>> (0) eap : Failed in handler
>> (0) [eap] = invalid
>> (0) } # authenticate = invalid
>> (0) Failed to authenticate the user
>> (0) Using Post-Auth-Type Reject
>
> That doesn't say "refused to proxy the request". The message is English, and should be clear.
>
>> Suggestions greatly appreciated.
>
> Describe the problem you're trying to solve. Don't ask why your proposed solution doesn't work.
>
> There are likely many other ways of getting the same result.
>
> Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list