Authentication issues

Alan DeKok aland at deployingradius.com
Tue Jun 21 15:06:51 UTC 2022


On Jun 21, 2022, at 10:39 AM, David le Roux <david.leroux at miller.co.uk> wrote:
>> See the FAQ for "I tried to do stuff, and it didn't work".
> 
> Which FAQ?

  So... you can't google "freeradius faq"?

  There's also the message you got when you joined the list.  It pointed to a web page, and strongly suggested that you read it.  Clearly that didn't happen.

  The problem we have here is that we've spent decades writing documentation, and it just gets ignored.  That's frustrating.

>> What did you do?  What happened?
> 
> I won't have all the details anymore and it would probably just be a list of "how-not-to-do-this" examples anyway. What happened was that nothing changed and the errors reported the same issue.

  So you randomly changed things without being clear about what you changed, or tracking what you did.

>> The server gives MANY ways to re-write attributes, to copy attributes, and to reference them.
> 
> I just need one way to get rid of the host/ portion. The old server uses an attr_rewrite module but that is now deprecated.

  Yes... because you can now write if / then / else statements to rewrite attributes.  This is documented.

> This is what the old server uses:

  All of that can be mechanically rewritten to using unlang statements.

	if (Calling-Station-Id =~ /(^.*:)(.*)/) {
		update request {
			Calling-Station-Id := "%{2}"
		}
	}

  It's that easy.  But doing that requires reading the documentation, understanding how it works, and then trying something.

>> You've set "check_cert_cn" in mods-available/eap.
>> 
>> Can you think of any way to have that refer to another attribute?
> 
> No. Does it even need to be there?

  I really have no idea how to respond to this.

>> Can you think of any way to copy the User-Name to another attribute?  Perhaps with editing?
> 
> You've lost me. Why would I want to copy the User-Name to another attribute? What am I achieving?

  Solving the problem?

>> The server comes with extensive documentation and debugging.  This problem *is* solvable, if you follow a careful process.
> 
> I'm doing my best and still getting lost. There might be extensive documentation but I haven't yet found what I'm looking for.

 There is no documentation which describes exactly how to do everything you want.  Instead, we document how the server works, and rely on people to "fill in the gaps".

  You can read "man unlang" to see how to edit attributes.  The server also comes with extensive examples on using regular expressions, editing attributes, replacing their values, etc.  Just read the various files in sites-available

  You're just randomly changing things, without trying to understand how the server works.  That's a recipe for disaster.

  Take the "attr_rewrite" rules, and re-write them in plain English.  i.e. "if the packet contains X, then do Y".

  Once you've done that, those English rules can usually be translated pretty directly into "unlang" statements.  If you're not sure how, again... there are dozens of examples of using if / then / else in the server.

  Alan DeKok.



More information about the Freeradius-Users mailing list