Freeradius-Users Digest, Vol 183, Issue 16
Luveh Keraph
1.41421 at gmail.com
Fri Jul 10 16:20:28 CEST 2020
Here is a copy of my users file, with all comments remove:
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
abcXYZ User-Password != "MyPassword1"
abcXYZ Cleartext-Password := "MyPassword1"
MyAttrTag = "One"
abcxyz User-Password != "MyPassword2"
abcxyz Cleartext-Password := "MyPassword2"
MyAttrTag = "Two"
And here's debugging information obtained at the FreeRADIUS server,
launched with -sxXf when a client is requesting to be authenticated as
abcXYZ over SSH, but using the password assigned to abcxyz in the users
file. A line that reads EXPAND
%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} would seem to reveal that
the received username is indeed converted to all lowercase by the
FreeRADIUS server. I searched for references to the above in the FreeRADIUS
files, and here is what I found:
../raddb/mods-available/couchbase: user_key =
"raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
../raddb/mods-available/couchbase:# simul_vkey =
"%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
../raddb/mods-available/files: key =
"%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"
Is it just a matter of getting rid of the 'key' line in the files directory?
Fri Jul 10 07:49:59 2020 : Debug: (39) Received Access-Request Id 57 from
192.168.0.67:44859 to 192.168.0.23:1812 length 92
Fri Jul 10 07:49:59 2020 : Debug: (39) User-Name = "abcXYZ"
Fri Jul 10 07:49:59 2020 : Debug: (39) User-Password = "MyPassword2"
Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-IP-Address = 192.168.0.67
Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Identifier = "sshd"
Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port = 22973
Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port-Type = Virtual
Fri Jul 10 07:49:59 2020 : Debug: (39) Service-Type = Authenticate-Only
Fri Jul 10 07:49:59 2020 : Debug: (39) Calling-Station-Id = "192.168.0.23"
Fri Jul 10 07:49:59 2020 : Debug: (39) session-state: No State attribute
Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section authorize from
file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
Fri Jul 10 07:49:59 2020 : Debug: (39) authorize {
Fri Jul 10 07:49:59 2020 : Debug: (39) policy filter_username {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) -> TRUE
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) ->
FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/
) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/
) -> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ ) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ )
-> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/)
-> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./)
-> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) } # if (&User-Name) = notfound
Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy filter_username =
notfound
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
preprocess (rlm_preprocess)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from preprocess (rlm_preprocess)
Fri Jul 10 07:49:59 2020 : Debug: (39) [preprocess] = ok
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
chap (rlm_chap)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from chap (rlm_chap)
Fri Jul 10 07:49:59 2020 : Debug: (39) [chap] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
mschap (rlm_mschap)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from mschap (rlm_mschap)
Fri Jul 10 07:49:59 2020 : Debug: (39) [mschap] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
digest (rlm_digest)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from digest (rlm_digest)
Fri Jul 10 07:49:59 2020 : Debug: (39) [digest] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
suffix(rlm_realm)
Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: Checking for suffix after "@"
Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No '@' in User-Name =
"abcXYZ", looking up realm NULL
Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No such realm "NULL"
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from suffix (rlm_realm)
Fri Jul 10 07:49:59 2020 : Debug: (39) [suffix] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
eap (rlm_eap)
Fri Jul 10 07:49:59 2020 : Debug: (39) eap: No EAP-Message, not doing EAP
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from eap (rlm_eap)
Fri Jul 10 07:49:59 2020 : Debug: (39) [eap] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
files (rlm_files)
Fri Jul 10 07:49:59 2020 : Debug:
%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
Fri Jul 10 07:49:59 2020 : Debug: Parsed xlat tree:
Fri Jul 10 07:49:59 2020 : Debug: XLAT-IF {
Fri Jul 10 07:49:59 2020 : Debug: attribute --> Stripped-User-Name
Fri Jul 10 07:49:59 2020 : Debug: }
Fri Jul 10 07:49:59 2020 : Debug: XLAT-ELSE {
Fri Jul 10 07:49:59 2020 : Debug: xlat --> tolower
Fri Jul 10 07:49:59 2020 : Debug: {
Fri Jul 10 07:49:59 2020 : Debug: attribute --> User-Name
Fri Jul 10 07:49:59 2020 : Debug: }
Fri Jul 10 07:49:59 2020 : Debug: }
Fri Jul 10 07:49:59 2020 : Debug: (39) files: EXPAND
%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
Fri Jul 10 07:49:59 2020 : Debug: (39) files: --> abcxyz
Fri Jul 10 07:49:59 2020 : Debug: (39) files: users: Matched entry abcxyz
at line 16
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from files (rlm_files)
Fri Jul 10 07:49:59 2020 : Debug: (39) [files] = ok
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
expiration (rlm_expiration)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from expiration (rlm_expiration)
Fri Jul 10 07:49:59 2020 : Debug: (39) [expiration] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
logintime (rlm_logintime)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from logintime (rlm_logintime)
Fri Jul 10 07:49:59 2020 : Debug: (39) [logintime] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
pap (rlm_pap)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
from pap (rlm_pap)
Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = updated
Fri Jul 10 07:49:59 2020 : Debug: (39) } # authorize = updated
Fri Jul 10 07:49:59 2020 : Debug: (39) Found Auth-Type = PAP
Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing group from file
/usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
Fri Jul 10 07:49:59 2020 : Debug: (39) Auth-Type PAP {
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]: calling
pap(rlm_pap)
Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Login attempt with password
"MyPassword2" (9)
Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Comparing with "known good"
Cleartext-Password "MyPassword2" (9)
Fri Jul 10 07:49:59 2020 : Debug: (39) pap: User authenticated successfully
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]:
returned from pap (rlm_pap)
Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = ok
Fri Jul 10 07:49:59 2020 : Debug: (39) } # Auth-Type PAP = ok
Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section post-auth from
file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
Fri Jul 10 07:49:59 2020 : Debug: (39) post-auth {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name &&
reply:User-Name && request:User-Name && (reply:User-Name ==
request:User-Name)) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name &&
reply:User-Name && request:User-Name && (reply:User-Name ==
request:User-Name)) -> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) update {
Fri Jul 10 07:49:59 2020 : Debug: (39) No attributes updated for RHS
&session-state:
Fri Jul 10 07:49:59 2020 : Debug: (39) } # update = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: calling
exec (rlm_exec)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: returned
from exec (rlm_exec)
Fri Jul 10 07:49:59 2020 : Debug: (39) [exec] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) policy
remove_reply_message_if_eap {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message &&
&reply:Reply-Message) {
Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
Fri Jul 10 07:49:59 2020 : Debug: (39) else {
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]:
calling noop (rlm_always)
Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]:
returned from noop (rlm_always)
Fri Jul 10 07:49:59 2020 : Debug: (39) [noop] = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) } # else = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy
remove_reply_message_if_eap = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) } # post-auth = noop
Fri Jul 10 07:49:59 2020 : Debug: (39) Sent Access-Accept Id 57 from
192.168.0.23:1812 to 192.168.123.67:44859 length 0
Fri Jul 10 07:49:59 2020 : Debug: (39) MyAttrTag = "Two"
Fri Jul 10 07:49:59 2020 : Debug: (39) Finished request
Fri Jul 10 07:49:59 2020 : Debug: Waking up in 4.9 seconds.
Fri Jul 10 07:50:04 2020 : Debug: (39) Cleaning up request packet ID 57
with timestamp +150091
Fri Jul 10 07:50:04 2020 : Info: Ready to process requests
On Thu, Jul 9, 2020 at 12:19 PM <
freeradius-users-request at lists.freeradius.org> wrote:
>
> On Jul 9, 2020, at 11:12 AM, Luveh Keraph <1.41421 at gmail.com> wrote:
> >
> > I have a FreeRADIUS 3.0.20 server with the following entries in
> > /etc/raddb/users:
> >
> > abcXYZ User-Password != "MyPassword1"
> > abcXYZ Cleartext-Password := "MyPassword1"
> > MyAttrTag = "One"
> >
> > abcxyz User-Password != "MyPassword2"
> > abcxyz Cleartext-Password := "MyPassword2"
> > MyAttrTag = "Two"
> >
> > MyAttrTag is a VSA of my own, which both client and server are aware of.
>
> OK.
>
> > When I try to authenticate abcXYZ against this server (with radtest, or
> by
> > SSH through PAM) the password I have to supply is MyPassword2 -
> MyPassword1
> > will not work. When the authentication is successfully completed, I can
> see
> > that the value of MyAttrTag sent by the server is always "Two", which is
> of
> > course consistent with the above.
> >
> > In fact, I can try different camel-case versions of abcxyz, not
> necessarily
> > with matching entries in /etc/raddb/users, and in all cases my server
> will
> > just use the entry for abcxyz in that file. I.e. my FreeRADIUS server
> > processes user names case-insensitively.
>
> The default configuration for the "users" file is to be case sensitive.
> So if it is case INsensitive, you changed something in your local
> configuration.
>
> > Can my FreeRADIUS server be configured so that it processes user names
> (not
> > passwords) in a case-sensitive way? In the example above, abcxyz and
> abcXYZ
> > would be two different users, with two different passwords. I have seen
> a
> > few suggestions on the net, but they seem to be constrained to version
> 2.*
> > servers.
>
> http://wiki.freeradius.org/list-help
>
> Post the debug output. We say this EVERYWHERE in the documentation, and
> pretty much daily on the list.
>
> Alan DeKok.
>
>
>
>
More information about the Freeradius-Users
mailing list