AD Auth Question

Nathan Ward lists+freeradius at daork.net
Mon Jan 1 02:32:51 CET 2018


> On 1/01/2018, at 2:20 PM, Martin, Jeremy <jmartin at emcc.edu> wrote:
> 
> So I greatly appreciate the pointers and help thus far but unfortunately this part of the the project keeps running into wall after wall.  So I decided to take a step back and start with a single domain on a nice clean install but come up with the same error from the inner-tunnel test.  
> 
> &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s’
> 
> When researching this error it seems to point to issues people had when upgrading from v2 to v3 but this is not the case in this instance and am not able to find any useful information after many hours of exhausting the resources that I did find.  
> 
> So I now have two questions:
> 
> 1. As we are largely required to use FR due to the MD5 EAP requirement of a solution we need to support and the difficulties and other issues of getting this implemented I am seriously considering the viability of the product without commercial support options.  Does anyone have any rough idea of cost for the commercial support option for a FR server in a educational production environment?
> 
> 2. In the event we decide to go the commercial route, and honestly I am heavily leaning that way after the amount of time invested this weekend, I still really need to do a proof of concept before coming so any pointers on the following error?
> 
> radtest -t mschap testuser simplepass 127.0.0.1:18120 0 testing123
> 
> Received Access-Request Id 74 from 127.0.0.1:52096 to 127.0.0.1:18120 length 142
> (1)   User-Name = “testuser"
> (1)   NAS-IP-Address = 10.40.0.199
> (1)   NAS-Port = 0
> (1)   Message-Authenticator = 0xd61679269ea9b90bf0e38f138bd9a1a4
> (1)   MS-CHAP-Challenge = 0x1b48d5a1841beb78
> (1)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000a76b216d255f8f4b4b039e309a93b5e58e52e6fdc5feaf1e
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         if (&User-Name =~ / /)  -> FALSE
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         if (&User-Name =~ /\.\./ )  -> TRUE
> (1)         if (&User-Name =~ /\.\./ )  {
> (1)           update request {
> (1)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
> (1)           } # update request = noop
> (1)           [reject] = reject
> (1)         } # if (&User-Name =~ /\.\./ )  = reject
> (1)       } # if (&User-Name)  = reject
> (1)     } # policy filter_username = reject
> (1)   } # authorize = reject
> (1) Invalid user (Rejected: User-Name contains multiple ..s): [testuser/<no User-Password attribute>] (from client localhost port 0)
> (1) Using Post-Auth-Type Reject

What version of FreeRADIUS are you running?

What is correct_escapes set to in your radiusd.conf file?

--
Nathan Ward




More information about the Freeradius-Users mailing list