Strange behaviour (?) on Windows authentication
Arnaud Forster
arnaud.forster at mwprog.ch
Thu May 17 08:30:41 CEST 2018
ok, it seems that 5c is the hexa notation for the character \
but is it normal that my string "MyDomain\\MyUserName becomes", before
testing, "MyDomain\5c5cMyUserName" ?
Thanks to all :)
Le 17.05.2018 à 08:23, Arnaud Forster a écrit :
> Hello all,
>
> I requested a few months ago some help about allowing some specific
> users being able to connect on specific wifi systems. A received some
> great help by adding a test to check if the user belongs to the
> specific group. This works like a charm for computers *not *belonging
> to the ldap domain.Today, I've another problem with that
> authentication for a computer belonging to the ldap domain. I made a
> log and there's something I don't understand.
>
> the username is there and correc (MyUserName) but suddenly, before
> checking if it belongs to the group 'Enseignants' here, the text
> '*5c5c' *is added to my username. It seems that this is the text
> 5c5cMyUserName that is checked instead of MyUserName.
>
> Can someone understand that ? I've no idea from where comes this
> '5c5c' text and why this works for computers not belonging to the
> domain...
>
> Really thanks for your help ;)
>
> Arnaud
>
>
> (1) Received Access-Request Id 193 from <a wifi system> length 219
> (1) User-Name = "MyDomain\\MyUserName"
> (1) NAS-IP-Address = 10.20.32.34
> (1) Called-Station-Id = "00-19-3B-10-8C-00:MyDomain"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) Calling-Station-Id = "DC-53-60-A5-19-50"
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) Acct-Session-Id = "929C1E7D46CDEAD7"
> (1) Acct-Multi-Session-Id = "D8478D373078FF2E"
> (1) WLAN-Pairwise-Cipher = 1027076
> (1) WLAN-Group-Cipher = 1027074
> (1) WLAN-AKM-Suite = 1027073
> (1) Framed-MTU = 1400
> (1) EAP-Message = 0x02a800130145534d415c6c656f6e617264696d
> (1) Message-Authenticator = 0xa790b757b6ea900d68132242a39287d3
> (1) # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy rewrite_called_station_id {
> (1) if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> {
> (1) if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> -> TRUE
> (1) if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> {
> (1) update request {
> (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (1) --> 00-19-3B-10-8C-00
> (1) &Called-Station-Id := 00-19-3B-10-8C-00
> (1) } # update request = noop
> (1) if ("%{8}") {
> (1) EXPAND %{8}
> (1) --> MyDomain
> (1) if ("%{8}") -> TRUE
> (1) if ("%{8}") {
> (1) update request {
> (1) EXPAND %{8}
> (1) --> MyDomain
> (1) &Called-Station-SSID := MyDomain
> (1) } # update request = noop
> (1) } # if ("%{8}") = noop
> (1) [updated] = updated
> (1) } # if (&Called-Station-Id && (&Called-Station-Id =~
> /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
> = updated
> (1) ... skipping else: Preceding "if" was taken
> (1) } # policy rewrite_called_station_id = updated
> (1) switch &Called-Station-SSID {
> (1) case MyDomain{
> (1) if (&LDAP-Group != "Enseignants") {
> (1) Searching for user in group "Enseignants"
> rlm_ldap (ldap): Reserved connection (1)
> (1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) *--> (uid=**MyDomain**\**5c5c**MyUsername**)*
> (1) Performing search in "dc=MyDomain,dc=lan" with filter
> "(*uid=**MyDomain**\**5c5c**MyUserName*)", scope "sub"
> (1) Waiting for search result...
> (1) Search returned no results
> rlm_ldap (ldap): Released connection (1)
> (1) if (&LDAP-Group != "Enseignants") -> TRUE
> (1) if (&LDAP-Group != "Enseignants") {
> (1) [reject] = reject
> (1) } # if (&LDAP-Group != "Enseignants") = reject
> (1) } # case MyDomain= reject
> (1) } # switch &Called-Station-SSID = reject
> (1) } # authorize = reject
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1)*attr_filter.access_reject: --> **MyDomain**\\**MyUserName*
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) eap: Request was previously rejected, inserting EAP-Failure
> (1) eap: Sending EAP Failure (code 4) ID 168 length 4
> (1) [eap] = updated
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 193 from 10.20.32.11:1812 to
> 10.20.32.34:36521 length 44
> (1) EAP-Message = 0x04a80004
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 1.3 seconds.
> (0) Cleaning up request packet ID 192 with timestamp +3
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list