Strange behaviour (?) on Windows authentication

Alan DeKok aland at deployingradius.com
Thu May 17 20:04:41 CEST 2018


On May 17, 2018, at 2:23 AM, Arnaud Forster <arnaud.forster at mwprog.ch> wrote:
> I requested a few months ago some help about allowing some specific users being able to connect on specific wifi systems. A received some great help by adding a test to check if the user belongs to the specific group. This works like a charm for computers *not *belonging to the ldap domain.Today, I've another problem with that authentication for a computer belonging to the ldap domain. I made a log and there's something I don't understand.
> 
> the username is there and correc (MyUserName)  but suddenly, before checking if it belongs to the group 'Enseignants' here, the text '*5c5c' *is added to my username. It seems that this is the text 5c5cMyUserName that is checked instead of MyUserName.

  The hex code 5C is the ASCII code for the backslash character.

  FreeRADIUS encodes backslashes when it queries databases.  Otherwise, users could do SQL (or LDAP) injection attacks.

> Can someone understand that ? I've no idea from where comes this '5c5c' text and why this works for computers not belonging to the domain...
> 
> Really thanks for your help ;)
> 
> Arnaud
> 
> 
> (1) Received Access-Request Id 193 from <a wifi system> length 219
> (1)   User-Name = "MyDomain\\MyUserName"

  If that's getting converted to 5c5c, you might try upgrading to 3.0.17.  You're running an older version of the database.

  Newer versions will still do the escaping, but only once.

  The short answer for a solution is that you need to set up "MyDomain" as a LOCAL realm in raddb/proxy.conf.  The server will then use "MyUserName" to look up the user in LDAP.

  Alan DeKok.




More information about the Freeradius-Users mailing list