Masquerading MSCHAPv2 User-Name?

Sat Feb 20 08:16:37 CET 2021

Hi Alan,

Changing the key in mods-enabled/files unfortunately results in the group checks then failing. It appears 'Group ==' checks require 'User-Name' to be set. Is this possibly a bug?

(1) files: EXPAND %{%{sAMAccountName}:-%{%{Stripped-User-Name}:-%{User-Name}}}
(1) files:    --> davidh
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: Failed resolving UID: No error
(1) files: users: Matched entry DEFAULT at line 295
(1)     [files] = ok
<snip>
(1) Found Auth-Type = Reject

I had updated key as follows:
    key = "%{%{sAMAccountName}:-%{%{Stripped-User-Name}:-%{User-Name}}}"

If I restore the key statement and amend sites-available/default back to the following it works again:
    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}
    files
    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}

(1) files: users: Matched entry DEFAULT at line 288
(1)     [files] = ok

My rlm_files authorize content:
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_view"
        Mikrotik-Group = "view"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_restricted"
        Mikrotik-Group = "restricted"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_nms"
        Mikrotik-Group = "view"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Group == "routers_clients_full"
        Mikrotik-Group = "full"
DEFAULT FreeRADIUS-Client-Shortname == "clients-subnet", Auth-Type := Reject

Regards
David Herselman

-----Original Message-----

>    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files

  I really don't recommend changing User-Name.  It is very likely to break all kinds of things.
  What you can do is edit mods-enabled/files, and change the key used to look up entries.  Use:
	key = %{%{sAMAccountName}:-%{User-Name}}