User-Name Modification Assistance
Alan DeKok
aland at deployingradius.com
Fri May 11 14:23:58 CEST 2018
On May 10, 2018, at 5:23 PM, Jeremy Lundquist <pmudan01 at gmail.com> wrote:
> Currently using freeradius 3.0.13, have it installed and configured (using
> mysql DB as the backend) and working fine. We are using MAC Based
> Authentication for authenticating/authorizing our end users equipment and
> till now working great.
> We went out the door using a MAC format of aabbccddeeff for
> username/password as our initial equipment passes it over this way, but we
> have some new equipment going into the network that sends the MAC as the
> username in the format aa-bb-cc-dd-ee-ff.
There is a specification (mostly) for MAC address formats in RADIUS. Sadly, many NAS vendors ignore that, like they ignore much else in the specs.
> So I'm trying to figure out how
> we can continue to use the username in the format aabbccddeeff (in the
> radcheck DB table) but accept the new format (with dashes) in the
> Access-Request and then modify the User-Name (or Stripped-User-Name) to use
> the non-dash format during the authentication/authorization process.
Don't modify the User-Name for EAP.
> I've seen in various posts that I should not modify the User-Name
> attribute, so I'm currently trying to use the Stripped-User-Name. I've
> defined a way to strip the dashes (-) from the User-Name and assign it to
> the Stripped-User-Name and can see this being used.
raddb/policy.d/canonicalization contains ways of doing this.
> But the issue I'm
> running into is during the authentication process I hit a part that shows
> EAP failing. I've been trying to understand why it's failing and how to
> work around it, but no luck and thus the reason for my question to the list.
> Any help or guidance would be greatly appreciated.
>
> See below the debug output (radiusd -X) for my radius setup.
Hmm... better debug messages would help there.
But in the end what's happening is that the EAP-MD5 calculations don't match. So the user entered the wrong password.
You can test this by trying PAP authentication.
Alan DeKok.
More information about the Freeradius-Users
mailing list