Authentication issues

David le Roux david.leroux at miller.co.uk
Wed Jun 29 10:53:14 UTC 2022


>> /etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'
>
>  Yes, you can't just invent things and have them work.  The server uses pre-defined dictionaries of named attributes.
>
>  Happily, you can also define new attributes.  Edit /etc/freeradius/3.0/dictionary, and add:
>
>ATTRIBUTE Cert-CN 3000 string
>
>  and it will be define, and it will work.
>
>  Define the Cert-CN attribute as described above.  And add a Cert-Cn in the "update" section, instead of over-writing User-Name.  It will work.

Thanks, that makes sense. I've done that.

That may have done the trick. However it still won't authenticate but I wonder if I've now got a different certificate issue on hand?

(4) Received Access-Request Id 232 from 10.225.80.1:43414 to 10.10.251.2:1812 length 192
(4)   User-Name = "host/mh300649.millerextra.com"
(4)   NAS-IP-Address = 127.0.0.1
(4)   Called-Station-Id = "E0-CB-BC-27-80-60:"
(4)   NAS-Port-Type = Ethernet
(4)   Service-Type = Framed-User
(4)   NAS-Port = 4
(4)   Calling-Station-Id = "50-9A-4C-47-69-92"
(4)   Acct-Session-Id = "D3EE5FFA3658128F"
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x020f002201686f73742f6d683330303634392e6d696c6c657265787472612e636f6d
(4)   Message-Authenticator = 0x471a458667926672258467a14bb75939
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4) eap: Peer sent EAP Response (code 2) ID 15 length 34
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) Auth-Type sub-section not found.  Ignoring.
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) Login incorrect: [host/mh300649.millerextra.com] (from client MWAN-10.225.80.1 port 4 cli 50-9A-4C-47-69-92)
(4) Delaying response for 1.000000 seconds
(4) Sending delayed response
(4) Sent Access-Reject Id 232 from 10.10.251.2:1812 to 10.225.80.1:43414 length 20

Thanks a lot.
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://www.millerhomes.co.uk>



More information about the Freeradius-Users mailing list