Ok, did that, and the connection gets farther now. I don't quite
understand how to get the other modules to use the stripped-user-name now.
rlm_attr_rewrite: Added attribute Stripped-User-Name with value
'host/itf-toshiba-asd'
modcall[authorize]: module "copy.user-name" returns ok for request 6
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module "add-dollar-sign" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '\' in User-Name = "host/itf-toshiba-asd", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "DOMAIN" returns noop for request 6
rlm_eap: EAP packet type response id 7 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
_____________
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364
PEAP: Setting User-Name to host/itf-toshiba-asd
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor = ""
searchin = packet
replacewith = "%{User-Name}"
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = "^host/(.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
authorize {
copy.user-name
add-dollar-sign
chap
preprocess
mschap
DOMAIN
eap
files
ldap
}
[EMAIL PROTECTED] wrote:
Hi,
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = "^host/(.*)"
searchin = packet
new_attribute = no
replacewith = "%{1}$"
}
you cannot play with User-Name - that is returned in the EAP
conversation and if it has changed then the auth wont work.
copy the value to eg Stripped-User-Name and then use that variable
to do the auth with (as per that example page)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
