FreeRadius 3.0.15 - some radius requests with realm @mylocal.org wrongly get assigned to Default realm (and then proxied)

[Alan DeKok]

On Sep 21, 2018, at 9:44 AM, Thorsten Fritsch <wiesentalfreunde at gmail.com> wrote:
> 
> we're running FreeRadius 3.0.15 and frequently see a proxy errors in the
> radius.log such as "
> "ERROR: Failing proxied request for user "dummy.user at mylocal.org", due to
> lack of any response from home server <remote ip> port 1812"

  You could try upgrading to 3.0.17.  That contains many fixes.

  Or, use the v3.0.x head from git, which will become 3.0.18 real soon now.

> The problem as it seems is that for some users (by far not for all - just
> for a few) who provide the correct suffix @mylocal.org the radius request
> is still wrongly assigned to the default realm and then proxied to the
> remote radius server defined in the default realm instead of proxied to the
> local realm as show in this log:
> 
> (948091) Tue Sep 18 17:42:20 2018: Debug: suffix: Looking up realm "
> mylocal.org " for User-Name = "dummy.user at mylocal.org "
> (948091) Tue Sep 18 17:42:20 2018: Debug: suffix: Found realm "~.*$"

  TBH, I suspect that the user is logging in with non-ASCII in the realm name.  That may be why it doesn't match,

  The reason I saw this is that the matching code is pretty well tested.  You can believe that the user did something stupid, or you can believe that the code is broken... even though it works for 99% of the users, and for every other network on the planet.

  i.e. I haven't seen this issue before.

> Interestingly it's again and again the same users are wrongly assigned to
> the default realm. It looks like a loop but the operator of the remote
> 
> radius server informed us no requests for @mylocal.org are seen on his side.

  He might be receiving them, but with a non-ASCII name.  So a "grep" through the log files for that domain won't show anything.

  If the debug log shows those users actually being proxied, then the issue is most likely non-ASCII names.

  Alan DeKok.