Josh Hiner wrote:
I think I may have found a bug in rlm_perl? I have written script with
the aid of another freeradius list member that checks to see if a user
is in a certain samba windows group. If they are not in the group (the
wireless group) the module rejects the login. The module works
perfectly except for those users who's usernames begin with a letter
t. For instance ISD\josh will succeed but ISD\\ted will fail. I have
done much testing and cant find my script to be the issue. Look below
for debug output for the perl module.
Notice that right after the ++[files] line I print out the radius
items for debugging. Notice the User-Name value is correct going into
the perl script. Notice on the exit of the perl script on each debug
that the username is correct. Then notice later in each debug where
these lines are:
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
tunnel)
but when the username begins with a "t" it fails here like this:
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
Notice only one backslash.
I have tried to make it succeed by adding backslashes (for users that
start with t) but no success. It will do ISD\\\tbraun and ISD\tbraun
but never ISD\\tbraun. Therefore, with users that start with "t" I
always get User-name does not match eap identity failure.
Thanks for any help. At the very bottom after the debug output you
will find my simple perl script that is well commented.
-Josh
------- Successful attempt --------
++[files] returns noop
They key is User-Name and the value is ISD\\josh.They key is
EAP-Message and the value is 0x020900061a03.They key is EAP-Type and
the value is MS-CHAP-V2.They key is State and the value is
0xfeecb38bffe5a965a0ca1cd92ce6c42b.They key is FreeRADIUS-Proxied-To
and the value is 127.0.0.1.
rlm_perl: Added pair User-Name = ISD\josh
rlm_perl: Added pair EAP-Message = 0x020900061a03
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
rlm_perl: Added pair State = 0xfeecb38bffe5a965a0ca1cd92ce6c42b
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
Login OK: [ISD\\josh] (from client CCISD-REMC-Radius port 0 via TLS
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ISD\\josh"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ISD\\josh"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
--------- End snip of successful attempt ---------
--------- Failed attempt from user who's username begins with a "t"
(tbraun) ---------
++[files] returns noop
They key is User-Name and the value is ISD\\tbraun.They key is
EAP-Message and the value is 0x0207000f014953445c74627261756e.They key
is EAP-Type and the value is Identity.They key is
FreeRADIUS-Proxied-To and the value is 127.0.0.1.rlm_perl: Added pair
User-Name = ISD\tbraun
rlm_perl: Added pair EAP-Message = 0x0207000f014953445c74627261756e
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair FreeRADIUS-Proxied-To = 127.0.0.1
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair Proxy-To-Realm = LOCAL
rlm_perl: Added pair EAP-Type = MS-CHAP-V2
++[perl] returns updated
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [ISD\tbraun] (from client CCISD-REMC-Radius port 0
via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
----------- End of snip of failed attempt ----------------
----------- Begin paste of perl script ------------------
#!/usr/bin/perl -w
use strict;
# use ...
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
# This is hash wich hold original request from radius
#my %RAD_REQUEST;
# In this hash you add values that will be returned to NAS.
#my %RAD_REPLY;
#This is for check items
#my %RAD_CHECK;
#
# This the remapping of return values
#
use constant RLM_MODULE_REJECT=> 0;# /* immediately
reject the request */
use constant RLM_MODULE_FAIL=> 1;# /* module failed,
don't reply */
use constant RLM_MODULE_OK=> 2;# /* the module is OK,
continue */
use constant RLM_MODULE_HANDLED=> 3;# /* the module
handled the request, so stop. */
use constant RLM_MODULE_INVALID=> 4;# /* the module
considers the request invalid. */
use constant RLM_MODULE_USERLOCK=> 5;# /* reject the
request (user is locked out) */
use constant RLM_MODULE_NOTFOUND=> 6;# /* user not found */
use constant RLM_MODULE_NOOP=> 7;# /* module succeeded
without doing anything */
use constant RLM_MODULE_UPDATED=> 8;# /* OK (pairs
modified) */
use constant RLM_MODULE_NUMCODES=> 9;# /* How many return
codes there are */
# Function to handle authorize
sub authorize {
my $sambagroup = "10007"; #This is the numeric ID of the samba group
my $domain = "ISD";
#Testing stuff to print out all radius attributes from hash
my $key = "";
my $value = "";
while (($key, $value) = each (%RAD_REQUEST)){
print "They key is $key and the value is $value.";
}
#End of testing
my $auth_user = $RAD_REQUEST{'User-Name'};
#Windows adds host/ to the begining of every machine name
during login.
#The following block of code cleans off host/ and replaces it with
#the login domain and tags a $ at the end for wbinfo group query.
if ($auth_user =~ /\bhost\b/ ) {
$auth_user =~ s/^host\/// ;
$auth_user = "$auth_user\$";
}
#Here I add the domain to the beginning of the username if the
domain doesnt exist there
#already.
if ( $auth_user !~ /^\b$domain\b/ ) {
$auth_user = "$domain\\\\$auth_user";
}
#End of username/machine name cleanup.
#The next line is the wbinfo query to see what samba groups
the user is a member of.
my @resultArray = qx(wbinfo -r $auth_user);
my $arraySize = scalar @resultArray;
my $groupID = "";
if ($arraySize != 0) {
foreach $groupID (@resultArray) {
if ($groupID == $sambagroup) {
#The below line re-writes the
value stored in
#the radius user-name attribute in the rad_request
#hash. For some reason freeradius feeds in
#DOMAIN\\\\username instead of DOMAIN\\username.
#This causes the eap module to fail because the
#returned value from this module doesnt match the EAP
#identity.
#this is from testing --> $RAD_REQUEST{'User-Name'}
= "ISD\\\\tbraun"
#The following line cleans two of the slashes "\\"
out of the user-name before we return from the
#perl module. These two slashes get added in. I'm
not sure how or why.
$RAD_REQUEST{'User-Name'} =~
s/^$domain\\/$domain/;
#Here I exit the subroutine and tell FreeRadius I
updated
#some junk.
return RLM_MODULE_UPDATED;
# return RLM_MODULE_OK;
}
}
}
else {
#user not in the required group.
return RLM_MODULE_REJECT; #YOU have been denied....
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I forgot to mention the freeradius version I am using is 2.1.3. Sorry
and thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
