Need help with FreeRADIUS stripping NT domain name from usernames

Nazar Tareyev nazzartareev at mail.ru
Mon Aug 2 13:28:55 CEST 2021 

Hello guys.

Is there a FreeRADIUS professionals or experienced admins? I need help with 
stripping domain name from username. I've inherited this FreeRADIUS 
installation from previous admin and struggling to understand how it was 
configured in full. But as I see, stripping and policy config is pretty 
much default, nothing changed there.

Users in our network use DOMAIN\Username format. When they log on with just 
username, authorization works as needed. When they use DOMAIN\Username, 
radius rejects login request.

How do I configure FreeRADIUS to allow both username and DOMAIN\Username 
formats to be used? How do I strip DOMAIN\ from username?

 From debug output I can see that radius uses section 'authorize from file 
/etc/raddb/sites-enabled/default' and policy 'filter_username'. But also, I 
can see that radius uses stripping rule for username at domain.com format, 
which we don't use.

Do I need to add something to this 'filter_username' config file to get it 
work as needed? Can someone please help me with this? I can post configs if 
needed.

Thanks in advance!

Here is debug info. Note that some fields was changed to hide names and 
addresses.

(9) Received Access-Request Id 207 from xx.xx.xx.xx:41261 to 
yy.yy.yy.yy:1812 length 285
(9)   User-Name = "DOMAIN\\Username"
(9)   Chargeable-User-Identity = 0x32
(9)   Location-Capable = Civic-Location
(9)   Calling-Station-Id = "f8-28-19-5c-4e-cb"
(9)   Called-Station-Id = "00-27-e3-ff-c9-a0:WIFI"
(9)   NAS-Port = 1
(9)   Cisco-AVPair = "audit-session-id=326e0a0a0001671fa3020061"
(9)   Acct-Session-Id = "610002a3/f8:28:19:5c:4e:cb/99737"
(9)   NAS-IP-Address = xx.xx.xx.xx
(9)   NAS-Identifier = "Cisco1832wlc"
(9)   Airespace-Wlan-Id = 8
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1300
(9)   NAS-Port-Type = Wireless-802.11
(9)   EAP-Message = 0x0205001119800000000715030300020230
(9)   State = 0x862de6f98528fff7b8c91607fcd06da7
(9)   Message-Authenticator = 0xc8f22392cb9af7cdd37553e86e4f98ae
(9) session-state: No cached attributes
(9) # Executing section authorize from file 
/etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> 
FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "DOMAIN\Username", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 5 length 17
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x862de6f98528fff7
(9) eap: Finished EAP session with state 0x862de6f98528fff7
(9) eap: Previous EAP request found for state 0x862de6f98528fff7, released 
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(9) eap_peap: Got complete TLS record (7 bytes)
(9) eap_peap: [eaptls verify] = length included
(9) eap_peap: <<< recv TLS 1.2  [length 0002]
(9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(9) eap_peap: ERROR: TLS_accept: Failed in error
(9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(9) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 
alert unknown ca
(9) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl 
handshake failure
(9) eap_peap: ERROR: System call (I/O) error (-1)
(9) eap_peap: ERROR: TLS receive handshake failed during operation
(9) eap_peap: ERROR: [eaptls process] = fail
(9) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module 
failed
(9) eap: Sending EAP Failure (code 4) ID 5 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): 
[DOMAIN\Username] (from client Cisco1832wlc port 1 cli f8-28-19-5c-4e-cb)
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(9) sql: EXPAND %{User-Name}
(9) sql:    --> DOMAIN\\Username
(9) sql: SQL-User-Name set to 'DOMAIN\\Username'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) 
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', 
'%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) 
VALUES ( 'DOMAIN=5C=5CUsername', '', 'Access-Reject', '2021-07-27 
18:57:11.875173')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, 
authdate) VALUES ( 'DOMAIN=5C=5CUsername', '', 'Access-Reject', '2021-07-27 
18:57:11.875173')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
Need 1 more connections to reach min connections (3)
rlm_sql (sql): Opening additional connection (8), 1 of 30 pending slots 
used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, 
server version 10.1.48-MariaDB, protocol version 10
(9)     [sql] = ok
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> DOMAIN\\Username
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(0) Cleaning up request packet ID 198 with timestamp +61
(1) Cleaning up request packet ID 199 with timestamp +61
(2) Cleaning up request packet ID 200 with timestamp +61
(3) Cleaning up request packet ID 201 with timestamp +61
(4) Cleaning up request packet ID 202 with timestamp +61
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 207 from yy.yy.yy.yy:1812 to xx.xx.xx.xx:41261 
length 44
(9)   EAP-Message = 0x04050004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 203 with timestamp +65
(6) Cleaning up request packet ID 204 with timestamp +65
(7) Cleaning up request packet ID 205 with timestamp +65
(8) Cleaning up request packet ID 206 with timestamp +65
(9) Cleaning up request packet ID 207 with timestamp +65
Ready to process requests

More information about the Freeradius-Users mailing list