cktan wrote: > Hi all, > > I'm using freeradius+LDAP for the PPPoE dialup access control for a > while. Lately I noticed there is weird issue whereby an user login with > username as "user=5c=5c=5c=5cu...@domain" and surprisingly freeradius > allow it to login although the actual username should be "u...@domain".
FreeRADIUS receives the User-Name that the NAS sends it, and ask LDAP if it's OK. > I've run radius in -X mode and capture the log for your reference as > below. In radiusd -X, we noticed server received Access-Request with > username "user=5c=5c=5c=5cu...@domain" but when reach to radius_xlat, > the uid will become "user" only and when it query my LDAP the account > for "user" is available and it will accept the access request. The "radius_xlat" doesn't delete '=5C' from the User-Name. > The question is why "user=5C=5C=5C=5Cuser" = "user"? If the User-Name is that in the Access-Request, it's because that's what the user typed. The usual reason for the user typing this is because that are trying to cheat you. > We try the username > with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because > radius will take as u...@domain. I'm not sure I agree. > After login, the username in radacct > will become "user=5c=5c=5c=5cu...@domain" instead of "u...@domain". As > the consequence, the smart user may have multiple logins (by using > user=1C/2C/3C....) and the records in radacct is different and therefore > we will out of control for multiple login with single account. Any idea > to fix this? Which version of FreeRADIUS are you running? I suspect that it's older than 1.1.7, which means it's a bug that was fixed *many* years ago. Upgrade to 2.1.6, and the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html