Authentication issues
David le Roux
david.leroux at miller.co.uk
Wed Jun 29 10:53:14 UTC 2022
>> /etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'
>
> Yes, you can't just invent things and have them work. The server uses pre-defined dictionaries of named attributes.
>
> Happily, you can also define new attributes. Edit /etc/freeradius/3.0/dictionary, and add:
>
>ATTRIBUTE Cert-CN 3000 string
>
> and it will be define, and it will work.
>
> Define the Cert-CN attribute as described above. And add a Cert-Cn in the "update" section, instead of over-writing User-Name. It will work.
Thanks, that makes sense. I've done that.
That may have done the trick. However it still won't authenticate but I wonder if I've now got a different certificate issue on hand?
(4) Received Access-Request Id 232 from 10.225.80.1:43414 to 10.10.251.2:1812 length 192
(4) User-Name = "host/mh300649.millerextra.com"
(4) NAS-IP-Address = 127.0.0.1
(4) Called-Station-Id = "E0-CB-BC-27-80-60:"
(4) NAS-Port-Type = Ethernet
(4) Service-Type = Framed-User
(4) NAS-Port = 4
(4) Calling-Station-Id = "50-9A-4C-47-69-92"
(4) Acct-Session-Id = "D3EE5FFA3658128F"
(4) Framed-MTU = 1400
(4) EAP-Message = 0x020f002201686f73742f6d683330303634392e6d696c6c657265787472612e636f6d
(4) Message-Authenticator = 0x471a458667926672258467a14bb75939
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) eap: Peer sent EAP Response (code 2) ID 15 length 34
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) Auth-Type sub-section not found. Ignoring.
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) Login incorrect: [host/mh300649.millerextra.com] (from client MWAN-10.225.80.1 port 4 cli 50-9A-4C-47-69-92)
(4) Delaying response for 1.000000 seconds
(4) Sending delayed response
(4) Sent Access-Reject Id 232 from 10.10.251.2:1812 to 10.225.80.1:43414 length 20
Thanks a lot.
________________________________
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
More information about the Freeradius-Users
mailing list