Freeradius Issues...user is not adding on radcheck...

Matthew Newton mcn at freeradius.org
Thu Nov 28 17:09:51 CET 2019 

On Thu, 2019-11-28 at 15:47 +0000, Sync IT wrote:
> I have acquired a running freeradius system from the old
> administrator. It was running on version 2. But the company asked to
> upgrade it to V3. I am not a expert in freeradius thats why i am
> trying it to use on a test before running it on production.

Both of those are good.

> The radius was developed by a programmer who no longer works in the
> company. He have made a custom gui that works great in v2. but in v3
> it doesnt work. I have attached the debug report so that experts can
> have a look. Any idea where i made a mistake while using it in v3?
> when i add users from gui it goes to a different table but not in
> radcheck.

Upgrading FreeRADIUS won't change the internal GUI you use, so if it
used to put entries in the radcheck table and doesn't any more then
you've got problems elsewhere.


> (0) Received Access-Request Id 222 from 127.0.0.1:52279 to 127.0.0.1:1812 length 79
> (0)   User-Name = "user1 at mn1"
> (0)   User-Password = "123"
> (0)   NAS-IP-Address = 127.0.1.1
> (0)   NAS-Port = 10
> (0)   Message-Authenticator = 0xf6545a34fec8a8afc046441ec110241e
> (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     policy filter_username {
> (0)       if (&User-Name) {
> (0)       if (&User-Name)  -> TRUE
> (0)       if (&User-Name)  {
> (0)         if (&User-Name =~ / /) {
> (0)         if (&User-Name =~ / /)  -> FALSE
> (0)         if (&User-Name =~ /@[^@]*@/ ) {
> (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
> (0)         if (&User-Name =~ /\.\./ ) {
> (0)         if (&User-Name =~ /\.\./ )  -> FALSE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> TRUE
> (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   {
> (0)           update request {
> (0)             &Module-Failure-Message += 'Rejected: Realm does not have at least one dot separator'


That should be fairly clear.

The filter_username policy in v3 checks for well-formed usernames.

If your usernames don't have a "." in the realm, either comment out
that particular check in raddb/policy.d/filter, or remove the entire
`filter_username` call from raddb/sites-enabled/default authorize{}
section.

-- 
Matthew

More information about the Freeradius-Users mailing list