Stripping the domain from the username

Alan DeKok aland at deployingradius.com
Sun Jan 12 15:29:39 CET 2020 

On Jan 12, 2020, at 5:48 AM, Stuart Ramdeen <stuart at crossover.solutions> wrote:
> 
> I would be grateful for some pointers with an issue I am experiencing at a
> customer's site.
> I need to strip the domain part of the username that users are
> authenticating with.

  Note: do NOT change the User-Name.  It WILL break everything.

> For example, a user will type in bob at example.com
> during authentication to the wireless network, but the username at the
> backend in the directory system is just 'bob'. I know that this is a common
> request of freeradius and I have tried to configure it in the conf files,
> but clearly I am not doing something correctly. I can't seem to get the
> 'Stripped-User-Name' to be used where I expect it.

  The default configuration works.  All you do is add "example.com" in proxy.conf as a LOCAL realm, and everything will just work.

> sh-3.2# radiusd -X
> radiusd: FreeRADIUS Version 2.2.9, for host i386-apple-darwin13.0, built on

  That's been EOL for many, many, years.  I suggest moving to v3.  Or at least 2.2.10.

> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.236.44 port 1815, id=240,
> length=225
> User-Name = "radiustest at example.co.uk"

  Note: this is the full name.

> EAP-Message =
> 0x02010022017261646975737465737440676f73682e63616d64656e2e7363682e756b

  And EAP.  The above line *also* contains the full user name.

> Aruba-Essid-Name = "school"
> Aruba-Location-Id = "ICT-TEST"
> Aruba-AP-Group = "test"
> Message-Authenticator = 0xcb3673c30e1a008614b794492d7bdc13
> Proxy-State = 0x3230
> # Executing section authorize from file
> /Library/Server/radius/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] Looking up realm "example.co.uk" for User-Name = "
> radiustest at example.co.uk"
> [suffix] Found realm "example.co.uk"
> [suffix] Adding Stripped-User-Name = "radiustest"
> [suffix] Adding Realm = "example.co.uk"
> [suffix] Proxying request from user radiustest to realm example.co.uk
> [suffix] Preparing to proxy authentication request to realm "example.co.uk"
> ++[suffix] = updated

  That's all fine, except for the proxying bit.

> [eap] Request is supposed to be proxied to Realm example.co.uk.  Not doing
> EAP.
> ++[eap] = noop
> ++[files] = noop
> [opendirectory] The host 192.168.236.44 does not have an access group.
> [opendirectory] User radiustest exists in OD
> [opendirectory] User radiustest is a member of the RADUIS SACL
> [opendirectory] Setting Auth-Type = opendirectory
> ++[opendirectory] = ok
> ++[expiration] = noop
> ++[logintime] = noop
> ++[pap] = noop
> +} # group authorize = updated
>  WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 175 to 127.0.0.1 port 1812
> User-Name = "radiustest"

   There's the issue.  The User-Name shouldn't be mangled during proxying.

> ...
> Proxying request 0 to home server 127.0.0.1 port 1812
> Sending Access-Request of id 175 to 127.0.0.1 port 1812
> ...
> Waking up in 0.9 seconds.
> rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=175,
> length=211
> User-Name = "radiustest"

  Uh... what?  Why are is the server proxying the packet to itself?  This isn't necessary.  There's just no need to make the configuration this complex.

  Change the proxy.conf config to have:

realm example.co.uk {
}

  The server will treat "example.co.uk" as a local realm, and do authentication itself.  It will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list