Hi,
I'm having some issues authenticating iOS clients (with FreeRADIUS v2.1.10
installed on a Ubuntu server) with EAP-TLS when the username contains a domain
name in the form of Domain\Username (the account is in Active Directory).
I think the issue is caused by the fact that the final Access-Accept reply has
the backslash after the domain name escaped, so that the output looks like this:
Sending Access-Accept of id 171 to 172.27.28.84 port 32769
User-Name = "ocg\\cmctrf3"
instead of containing the original, un-escaped domain\username:
Sending Access-Accept of id 171 to 172.27.28.84 port 32769
User-Name = "ocg\cmctrf3"
Mine is just a theory, but I cannot verify it until I figure out how to have
the un-escaped ocg\cmctrf3 string being sent in the output instead of the
current escaped one. So my question is "how do I cause the User-Name to be send
un-escaped? Do I make a change in the clients.con file...? The eap.conf
file...? If so, under which section and where..? Sorry for what may look like a
dumb question, but I could not find this mentioned anywhere else.
As a side-note, if I omit the domain name in the iOS device and just login with
the username "cmctrf3" for example, the iPhones/iPads are able to login without
problems. The issue only occurs when the domain name appears before escaped.
All other devices (Windows and Mac desktops) seem to be able to get past that
escaped sequence without problems.
Below is a blurb showing the debug output. I do see the un-escaped ocg\cmctrf3
being logged, but the escaped one at the end is what is porbably biting me.
Thanks,
Roberto Franceschetti
# Executing section authorize from file /etc/freeradius/clients.conf
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "ocg\cmctrf3", skipping NULL due to config.
++[suffix] returns noop
[ntdomain] Looking up realm "ocgov" for User-Name = "ocg\cmctrf3"
[ntdomain] No such realm "ocgov"
++[ntdomain] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/clients.conf
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [ocg\\cmctrf3] (from client 172.27.28.84 port 29 cli
f0-cb-a1-2b-61-4d)
# Executing section post-auth from file /etc/freeradius/clients.conf
+- entering group post-auth {...}
++[exec] returns noop
} # server lwap-clients
Sending Access-Accept of id 171 to 172.27.28.84 port 32769
MS-MPPE-Recv-Key =
0x15c9ba070e3579e43c54314c24e7e09f4753c779e4e013b4bbd080a2cab4bbb2
MS-MPPE-Send-Key =
0x4f27c90c8fdf27be122e70c2c4d82bebd65797dafebe2ebb4ca91bedfd244cb5
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "ocg\\cmctrf3"
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
