User-Name Modification Assistance

Jeremy Lundquist pmudan01 at gmail.com
Fri May 11 18:02:18 CEST 2018


Let me add an updated Debug output to be thorough:

(0) Received Access-Request Id 176 from 172.30.0.9:1025 to 172.16.1.57:1812
length 151
(0)   Framed-MTU = 1344
(0)   EAP-Message = 0x020100160131302d37622d34342d63312d38362d6530
(0)   User-Name = "10-7b-44-c1-86-e0"
(0)   NAS-Port-Type = Ethernet
(0)   NAS-Port = 1
(0)   NAS-Port-Id = "Port 1"
(0)   Calling-Station-Id = "10-7b-44-c1-86-e0"
(0)   Called-Station-Id = "9a-86-02-02-5e-01"
(0)   NAS-IP-Address = 172.30.0.9
(0)   Message-Authenticator = 0xddf33385960dd6418170c55eeeb7333f
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy rewrite_stripped_username {
(0)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0)         update request {
(0)           EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
(0)              --> 107b44c186e0
(0)           &Stripped-User-Name := 107b44c186e0
(0)           EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
(0)              --> 107b44c186e0
(0)           &User-Password := 107b44c186e0
(0)         } # update request = noop
(0)         [updated] = updated
(0)       } # if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0)       ... skipping else: Preceding "if" was taken
(0)     } # policy rewrite_stripped_username = updated
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = updated
(0)     } # policy filter_username = updated
(0)     [preprocess] = ok
(0)     update request {
(0)       EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(0)          --> 107b44c186e0
(0)       SQL-User-Name set to '107b44c186e0'
rlm_sql (sql): Reserved connection (1)
(0)       Executing select query: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='172.30.0.9'
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radiusdb' on db4.sailx.co via TCP/IP,
server version 5.5.56-MariaDB-wsrep, protocol version 10
(0)       EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}
(0)          --> mdu_tower1
(0)       Huntgroup-Name := mdu_tower1
(0)     } # update request = noop
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 22
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x3657989736559c60
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 176 from 172.16.1.57:1812 to 172.30.0.9:1025
length 0
(0)   EAP-Message = 0x010200160410fd177e65f2ea8bf1834a748b2123db76
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x3657989736559c60ff03715f4f66cda8
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 177 from 172.30.0.9:1025 to 172.16.1.57:1812
length 186
(1)   Framed-MTU = 1344
(1)   EAP-Message =
0x0202002704100e6271f3258c713ac55764eaa2d52ab231302d37622d34342d63312d38362d6530
(1)   State = 0x3657989736559c60ff03715f4f66cda8
(1)   User-Name = "10-7b-44-c1-86-e0"
(1)   NAS-Port-Type = Ethernet
(1)   NAS-Port = 1
(1)   NAS-Port-Id = "Port 1"
(1)   Calling-Station-Id = "10-7b-44-c1-86-e0"
(1)   Called-Station-Id = "9a-86-02-02-5e-01"
(1)   NAS-IP-Address = 172.30.0.9
(1)   Message-Authenticator = 0x737a5f0beb4ab57731f2e2a10d510ea8
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy rewrite_stripped_username {
(1)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1)       if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1)         update request {
(1)           EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
(1)              --> 107b44c186e0
(1)           &Stripped-User-Name := 107b44c186e0
(1)           EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
(1)              --> 107b44c186e0
(1)           &User-Password := 107b44c186e0
(1)         } # update request = noop
(1)         [updated] = updated
(1)       } # if (&User-Name && (&User-Name =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy rewrite_stripped_username = updated
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = updated
(1)     } # policy filter_username = updated
(1)     [preprocess] = ok
(1)     update request {
(1)       EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1)          --> 107b44c186e0
(1)       SQL-User-Name set to '107b44c186e0'
rlm_sql (sql): Reserved connection (2)
(1)       Executing select query: SELECT groupname FROM radhuntgroup WHERE
nasipaddress='172.30.0.9'
rlm_sql (sql): Released connection (2)
(1)       EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE
nasipaddress='%{NAS-IP-Address}'}
(1)          --> mdu_tower1
(1)       Huntgroup-Name := mdu_tower1
(1)     } # update request = noop
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 39
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1) sql:    --> 107b44c186e0
(1) sql: SQL-User-Name set to '107b44c186e0'
rlm_sql (sql): Reserved connection (3)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '107b44c186e0' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '107b44c186e0' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql:   Cleartext-Password := "107b44c186e0"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = '107b44c186e0' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = '107b44c186e0' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username =
'107b44c186e0' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = '107b44c186e0' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY
id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Group "saili_mdu_tower1_current": Conditional check items matched
(1) sql: Group "saili_mdu_tower1_current": Merging assignment check items
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(1) sql:    --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id
(1) sql: Group "saili_mdu_tower1_current": Merging reply items
(1) sql:   Tunnel-Type := VLAN
(1) sql:   Tunnel-Medium-Type := IEEE-802
(1) sql:   Tunnel-Private-Group-Id := "90"
rlm_sql (sql): Released connection (3)
(1)     [sql] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: Auth-Type already set.  Not setting to PAP
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x3657989736559c60
(1) eap: Finished EAP session with state 0x3657989736559c60
(1) eap: Previous EAP request found for state 0x3657989736559c60, released
from the list
(1) eap: Peer sent packet with method EAP MD5 (4)
(1) eap: Calling submodule eap_md5 to process data
(1) eap: Sending EAP Failure (code 4) ID 2 length 4
(1) eap: Freeing handler
(1)     [eap] = reject
(1)   } # authenticate = reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) sql: EXPAND .query
(1) sql:    --> .query
(1) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1) sql:    --> 107b44c186e0
(1) sql: SQL-User-Name set to '107b44c186e0'
(1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, misc,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}',
'%{%{Module-Failure-Message}:-%{reply:Reply-Message}}', '%S')
(1) sql:    --> INSERT INTO radpostauth (username, pass, reply, misc,
authdate) VALUES ( '107b44c186e0', '107b44c186e0', 'Access-Reject', '',
'2018-05-11 16:01:35.337981')
(1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
misc, authdate) VALUES ( '107b44c186e0', '107b44c186e0', 'Access-Reject',
'', '2018-05-11 16:01:35.337981')
(1) sql: SQL query returned: success
(1) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(1)     [sql] = ok
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> 10-7b-44-c1-86-e0
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 177 from 172.16.1.57:1812 to 172.30.0.9:1025
length 44
(1)   EAP-Message = 0x04020004
(1)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.


Jeremy

On Fri, May 11, 2018 at 9:00 AM, Jeremy Lundquist <pmudan01 at gmail.com>
wrote:

> Thxs Alan B and Alan D for the follow ups.
> So the password is the issue as not only does this NAS vendor not put the
> MAC in the correct format but they are also currently not sending a
> password :)
> In an attempt to get around this for this vendor I'm trying to manually
> set the User-Password then. I'll be modifying the coding to make it based
> on the specific vendors Called-Station-Id, but for now I'm just statically
> setting it for testing purposes at the same time as I'm setting the
> Stripped-User-Name. Ie, see here (reusing some of what's already in
> policy.d/canonicalization):
>
> rewrite_stripped_username {
>         if (&User-Name && (&User-Name =~ /^${policy.mac-addr-regexp}$/i))
> {
>                 update request {
>                         &Stripped-User-Name :=
> "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}"
>                         &User-Password := "%{tolower:%{1}%{2}%{3}%{4}%{
> 5}%{6}}"
>                 }
>                 updated
>         }
>         else {
>                 noop
>         }
> }
>
> So this should leave username as the original, but change the
> Stripped-User-Name and set User-Password (I can see/verify this in the
> debug as see these values entered into the DB radauthpost table). I've also
> configure the SQL queries to use Stripped-User-Name. And I've included this
> into my authorization section of site-enables/default, but I'm still
> getting the EAP failure as shown in the previous debug: Should I be adding
> it elsewhere also or am I missing something still?
>
> Thxs
> Jeremy
>
>
>
> On Fri, May 11, 2018 at 5:23 AM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On May 10, 2018, at 5:23 PM, Jeremy Lundquist <pmudan01 at gmail.com> wrote:
>> > Currently using freeradius 3.0.13, have it installed and configured
>> (using
>> > mysql DB as the backend) and working fine. We are using MAC Based
>> > Authentication for authenticating/authorizing our end users equipment
>> and
>> > till now working great.
>> > We went out the door using a MAC format of aabbccddeeff for
>> > username/password as our initial equipment passes it over this way, but
>> we
>> > have some new equipment going into the network that sends the MAC as the
>> > username in the format aa-bb-cc-dd-ee-ff.
>>
>>   There is a specification (mostly) for MAC address formats in RADIUS.
>> Sadly, many NAS vendors ignore that, like they ignore much else in the
>> specs.
>>
>> > So I'm trying to figure out how
>> > we can continue to use the username in the format aabbccddeeff (in the
>> > radcheck DB table) but accept the new format (with dashes) in the
>> > Access-Request and then modify the User-Name (or Stripped-User-Name) to
>> use
>> > the non-dash format during the authentication/authorization process.
>>
>>   Don't modify the User-Name for EAP.
>>
>> > I've seen in various posts that I should not modify the User-Name
>> > attribute, so I'm currently trying to use the Stripped-User-Name. I've
>> > defined a way to strip the dashes (-) from the User-Name and assign it
>> to
>> > the Stripped-User-Name and can see this being used.
>>
>>   raddb/policy.d/canonicalization contains ways of doing this.
>>
>>
>> > But the issue I'm
>> > running into is during the authentication process I hit a part that
>> shows
>> > EAP failing. I've been trying to understand why it's failing and how to
>> > work around it, but no luck and thus the reason for my question to the
>> list.
>> > Any help or guidance would be greatly appreciated.
>> >
>> > See below the debug output (radiusd -X) for my radius setup.
>>
>>   Hmm... better debug messages would help there.
>>
>>   But in the end what's happening is that the EAP-MD5 calculations don't
>> match.  So the user entered the wrong password.
>>
>>   You can test this by trying PAP authentication.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
>>
>
>


More information about the Freeradius-Users mailing list