Masquerading MSCHAPv2 User-Name?

David Herselman dhe at syrex.co
Fri Feb 19 16:16:32 CET 2021


Hi,

I like the simplicity of being able to use the rlm_files authorize file to manage collections of clients by AD group membership. Using Samba winbind presents AD as local Linux accounts and groups. The following example is where I've defined clients with shortname set as checkpoint_gaia:

DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_view"
        CP-Gaia-User-Role = "monitorRole",
        CP-Gaia-SuperUser-Access = "0"
DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Group == "checkpoint_gaia_full"
        CP-Gaia-User-Role = "adminRole",
        CP-Gaia-SuperUser-Access = "1"
DEFAULT FreeRADIUS-Client-Shortname == "checkpoint_gaia", Auth-Type := Reject
        Reply-Message = "Access Denied - Not a member of any checkpoint_gaia security groups"
DEFAULT Auth-Type := Reject
        Reply-Message = "Access Denied"

I needed to therefor change the username before running files in authorize. My current mess is this:
authorize {
        <snip>
        update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
        if (User-Name =~ /^cccccctcikej[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
        if (User-Name =~ /^cccccctcikff[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
        if (&sAMAccountName) {update request {Yubikey-OTP = "%{User-Name}"}}
        <snip>
        if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
        files
        if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}
        <snip>
post-auth {
        if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}


Logs subsequently record usernames instead of 44 char token codes.
    Login OK: [davidh] (from client checkpoint_gaia port 0 cli 192.168.1.77) src:100.127.255.10 nas-ip:1 nas-id:router


I would prefer to look up the token identifier (first 12 chars) in a file, but don't know yet how to select a portion of an attribute to do that.

My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...


Regards
David Herselman



More information about the Freeradius-Users mailing list