(RADIATOR) RewriteUsername help

Steve Shippa steve.shippa at fullmesh.net
Thu Feb 3 13:06:47 CST 2005


I'm not sure the config will help as I'm using RAdmin and everything 
(clients, users, etc) is stored in the db.

All I'm trying to do is this:

Customer signs up for my service, system generates the account # and 
puts it in the format like:

cust001.example.com
cust002.example.com
cust003.example.com
.
.
custXXX.example.com

which I enter into the radclient table, defaultrealm column along with 
their nasidentifier, secret, etc, etc.

So my customers don't have to remember steve at cust001.example.com or 
bill at cust010.example.com I want to allow them to log in as 'steve' or 
'bill'.  The way I read the docs, defaultrealm will add the realm to the 
username if none is present so just using 'steve' to log in from a 
specific nas would produce steve at cust001.example.com.  This appears to 
be true in some cases.  As the first part of the log shows below, 
'Rewrote user name to steve at cust001.example.com', but further down, when 
the authentication takes place 'Query is: 'select PASS_WORD, 
STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, 
VALIDTO from RADUSERS where USERNAME='steve':', just "steve" is used and 
not the rewritten name.  However, the entry into the authentication log 
inserts steve at cust001.example.com.

I read in the docs (or online somewhere) that just 'User-Name' is passed 
through for authentication, but figured a RewriteUsername would allow me 
to change that, so I'm just looking for the correct RewriteUsername reg 
ex to use.  Your suggestion below just includes the username and %W 
appears to be what I'm looking for, but how would you include that in 
reg ex?

RewriteUsername              s/^([^@]+)$/$1\{would like either 
defaultrealm or the value of %W here}

Thanks,
  -Steve

Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
*** Received from 198.4.3.77 port 1051 ....
Code:       Access-Request
Identifier: 120
Authentic:  <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
Attributes:
        Framed-MTU = 1466
        NAS-IP-Address = 10.0.1.1
        NAS-Identifier = "wireless"
        User-Name = "steve"
        Service-Type = Framed-User
        NAS-Port = 253
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "wl0"
        Called-Station-Id = "00-11-24-0d-6a-1b"
        Calling-Station-Id = "00-02-6f-09-58-05"
        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
        EAP-Message = 
<2><9><0>W<25><0><23><3><1><0>L<218><28>6<189><243>eDx{RD<227>i<12>A<22><26><27><254>/<187><225><225><191><13>_<223>T@<190>Hz<128><130><2
42><236>l<7><4>6<206>_<204><139><155><193>S<24>yA$O<197>{<217><209>s<253>k<245><228><177>2<158><210>I<165><228>2<224><129>K<182>\8<133>
        Message-Authenticator = 
<137>:<189><198><6><207>,=ZkP<141><10><13>A<249>

Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to 
steve at cust001.example.com
Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for 
steve, 10.0.1.1, 253
Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE 
where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 87
Thu Feb  3 12:37:51 2005: DEBUG: Response type 25
Thu Feb  3 12:37:51 2005: DEBUG: EAP PEAP inner authentication request 
for anonymous
Thu Feb  3 12:37:51 2005: DEBUG: PEAP Tunnelled request Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  9<146><27>M)<252>H<244><154><200><232>6<248><10><158><172>
Attributes:
        EAP-Message = 
<2><9><0><<26><2><9><0>;1<236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><0><0><0><0><0><0><129><206>K@<220><238><128>H<2
43><160><208><16><222><177><230><220>\}<141><210>?,<193><1><0>steve
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        User-Name = "anonymous"
        NAS-IP-Address = 10.0.1.1
        NAS-Identifier = "wireless"
        NAS-Port = 253
        Calling-Station-Id = "00-02-6f-09-58-05"

Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler 
'TunnelledByPEAP=1'
Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to 
anonymous at cust001.example.com'
Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for , 
10.0.1.1, 253
Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE 
where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 60
Thu Feb  3 12:37:51 2005: DEBUG: Response type 26
Thu Feb  3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 Packet dump:
Code:       Access-Request
Identifier: UNDEF
Authentic:  <146>np><19><153>D\<250>nG<254><211>d<133><136>
Attributes:
        User-Name = "steve"
        ConvertedFromEAPMSCHAPV2 = 1
        MS-CHAP2-Response = 
<1><0><236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><0><0><0><0><0><0><129><206>K@<220><238><128>H<243><160><208>
<16><222><177><230><220>\}<141><210>?,<193><1>
        MS-CHAP-Challenge = 
I<254><139><168><198><236><212><31><208>f<24><13><2>}<14><244>

Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler 
'ConvertedFromEAPMSCHAPV2=1'
Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to 
steve at cust001.example.com
Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for 
steve, 10.0.1.1,
Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE 
where NASIDENTIFIER='10.0.1.1' and NASPORT=0':
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
Thu Feb  3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD, 
STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, 
VALIDTO from RADUSERS where USERNAME='steve'':
Thu Feb  3 12:37:51 2005: DEBUG: Radius::AuthRADMIN looks for match with 
steve
Thu Feb  3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD, 
STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, 
VALIDTO from RADUSERS where USERNAME='DEFAULT'':
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, No such user
Thu Feb  3 12:37:51 2005: INFO: Access rejected for steve: No such user
Thu Feb  3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 response Packet 
dump:
Code:       Access-Reject
Identifier: UNDEF
Authentic:  <146>np><19><153>D\<250>nG<254><211>d<133><136>
Attributes:
        Reply-Message = "Request Denied"

Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 1, EAP-MSCHAPV2 converted 
to Radius MSCHAPV2 and redespatched to a Handler
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, 
EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a Handler
Thu Feb  3 12:37:51 2005: INFO: Access rejected for 
anonymous at cust001.example.com: EAP-MSCHAPV2 converted to Radius MSCHAPV2 
and redespatched to a Handler
Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 3, EAP PEAP inner 
authentication redespatched to a Handler
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP 
PEAP inner authentication redespatched to a Handler
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP 
PEAP inner authentication redespatched to a Handler
Thu Feb  3 12:37:51 2005: DEBUG: Access challenged for 
steve at cust001.example.com: EAP PEAP inner authentication redespatched to 
a Handler
Thu Feb  3 12:37:51 2005: DEBUG: Access challenged for 
steve at cust001.example.com: EAP PEAP inner authentication redespatched to 
a Handler
Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
*** Sending to 198.4.3.77 port 1051 ....
Code:       Access-Challenge
Identifier: 120
Authentic:  <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
Attributes:
        EAP-Message = 
<1><10><0>&<25><0><23><3><1><0><27><13><223>M<204>#<7><250><171><187><237><183>:<247><243><0><192><147><9><167>zw[t.<196><5>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
*** Received from 198.4.3.77 port 1051 ....
Code:       Access-Request
Identifier: 121
Authentic:  ge<223>`3U]U/R<9><22><135><145>y.
Attributes:
        Framed-MTU = 1466
        NAS-IP-Address = 10.0.1.1
        NAS-Identifier = "wireless"
        User-Name = "steve"
        Service-Type = Framed-User
        NAS-Port = 253
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "wl0"
        Called-Station-Id = "00-11-24-0d-6a-1b"
        Calling-Station-Id = "00-02-6f-09-58-05"
        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
        EAP-Message = 
<2><10><0>&<25><0><23><3><1><0><27><172><227><254><138>`P<147><162><175>wd<185><142>|T<19><195><218>r<179><181><129><15>{<242>Sd
        Message-Authenticator = 
<144><242><16>w<238><226><234>3k<164><250><129>;<191><235><22>

Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to 
steve at cust001.example.com
Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for 
steve, 10.0.1.1, 253
Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE 
where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 10, 38
Thu Feb  3 12:37:51 2005: DEBUG: Response type 25
Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 1, PEAP Authentication Failure
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP 
Authentication Failure
Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP 
Authentication Failure
Thu Feb  3 12:37:51 2005: INFO: Access rejected for 
steve at cust001.example.com: PEAP Authentication Failure
Thu Feb  3 12:37:51 2005: INFO: Access rejected for 
steve at cust001.example.com: PEAP Authentication Failure
Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'insert into RADAUTHLOG 
(TIME_STAMP, USERNAME, TYPE, REASON) values (1107452271, 
'steve at cust001.example.com', 0, 'PEAP Authentication Failure')':
Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:



Hugh Irvine wrote:

>
> Hello Steve -
>
> Its much easier to understand your questions if you include a copy of 
> the configuration file and a trace 4 showing what is happening.
>
> You should have a look at section 6.2 in the Radiator 3.11 reference 
> manual ("doc/ref.html") to see what special characters are available 
> for use in queries. In your case you might find %w to be useful?
>
> Can you explain exactly what you are wanting to do?
>
> regards
>
> Hugh
>
>
> On 2 Feb 2005, at 20:30, Steve Shippa wrote:
>
>> Right, that would add '@realm', however is there any way to add the 
>> "defaultrealm" which is different for each customer 
>> (cust001.example.com, cust002.example.com, cust00n.example.com) as 
>> I'm doing authentication with the same <Handler>
>>
>> Thanks,
>>  -Steve
>>
>> Mark O'Leary wrote:
>>
>>> I think the following would add "@realm" to the end of 'plain' 
>>> usernames:
>>>
>>> RewriteUsername s/^([^@]+)$/$1\@realm/
>>>
>>> M.
>>>
>>> -- 
>>> Mark O'Leary, ITO (Networks)
>>> Communications, Manchester Computing
>>> mark at manchester.ac.uk
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: owner-radiator at open.com.au 
>>>> [mailto:owner-radiator at open.com.au] On Behalf Of Steve Shippa
>>>> Sent: 02 February 2005 13:39
>>>> To: radiator at open.com.au
>>>> Subject: (RADIATOR) RewriteUsername help
>>>>
>>>> Can anyone tell me if it's possible (and if so, help with the 
>>>> regexp as I'm not too good at them) to use a RewriteUsername 
>>>> parameter to add the defaultrealm (i.e. cust001.example.com) to the 
>>>> username (i.e. steve)?
>>>>
>>>> I store usernames in my db as user at cust001.example.com, 
>>>> user at cust002.example.com, etc.  My customers log into specific 
>>>> clients where I apply the defaultdomain of custXXX.example.com and 
>>>> while I see places in the log where user at custXXX.example.com is 
>>>> showing up, when the query to the db happens, it uses the NAS 
>>>> 'User-Name' and not user at custXXX.example.com 
>>>> (User-Name+defaultrealm).  The log shows:
>>>>
>>>> Tue Feb  1 15:26:34 2005: DEBUG: Query is: 'select PASS_WORD, 
>>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, 
>>>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>>>> Tue Feb  1 15:26:34 2005: DEBUG: Radius::AuthRADMIN looks for match 
>>>> with steve Tue Feb  1 15:26:34 2005: DEBUG: AuthBy RADMIN result: 
>>>> REJECT, No such user Tue Feb  1 15:26:34 2005: INFO: Access 
>>>> rejected for steve No such user
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks,
>>>> -Steve
>>>>
>>>>
>>>>
>>>> -- 
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au To unsubscribe, 
>>>> email 'majordomo at open.com.au' with 'unsubscribe radiator' in the 
>>>> body of the message.
>>>>
>>>> -- 
>>>> No virus found in this incoming message.
>>>> Checked by AVG Anti-Virus.
>>>> Version: 7.0.300 / Virus Database: 265.8.2 - Release Date: 28/01/2005
>>>>
>>>>
>>>
>>>
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list