Authentication issues

[Alan DeKok]

On Jun 24, 2022, at 8:56 AM, David le Roux <david.leroux at miller.co.uk> wrote:
> So I used the scriptlet below to remove the host/ section and now no longer get the error message.
> 
> if (&User-Name =~ /^host\/(.*)$/) {
>   update request {
>     &Cert-CN := "%{1}"
>   }
> }

  That's good.

> However I now get the following error:
> 

> (2)     if (&User-Name =~ /^host\/(.*)$/) {
> (2)     if (&User-Name =~ /^host\/(.*)$/)  -> TRUE
> (2)     if (&User-Name =~ /^host\/(.*)$/)  {
> (2)       update request {
> (2)         EXPAND %{1}
> (2)            --> hostname.domain.com
> (2)         &User-Name := hostname.domain.com

  That isn't what you posted above.  You're editing the User-Name, and not adding a Cert-CN attribute.

  It helps to have a methodical approach, and to make sure that you're doing what you think you're doing.

> (2) Found Auth-Type = eap
> (2) Found Auth-Type = eap
> (2) ERROR: Warning:  Found 2 auth-types on request for user 'hostname.domain.com'

  Don't force "Auth-Type = eap".  It's wrong, and it will cause problems.  Let the server figure out what to do.  It will make the right decision.

> (2) eap: Identity does not match User-Name.  Authentication failed

  Yup.

> I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.

  Don't modify the User-Name?

  Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:

	check_cert_cn = %{%{Cert-CN}:-%{User-Name}}

  Alan DeKok.