(RADIATOR) RewriteUsername help
Hugh Irvine
hugh at open.com.au
Thu Feb 3 23:38:15 CST 2005
Hello Steve -
As the name implies, DefaultRealm will only add a realm suffix once.
If your users are logging in without a realm and you want to do
multiple authentications with multiple suffixes, you will either need
to use multiple AuthBy RADMIN clauses, or use stored procedures in the
database to do the same thing.
If you use multiple AuthBy clauses you can do something like this:
# define Realm(s) or Handler(s)
<Handler ...>
AuthByPolicy ContinueUntilAccept
<AuthBy RADMIN>
.....
AuthSelect ....... \
where USERNAME = '%u at cust001.example.com'
.....
</AuthBy>
<AuthBy RADMIN>
.....
AuthSelect ....... \
where USERNAME = '%u at cust002.example.com'
.....
</AuthBy>
<AuthBy RADMIN>
.....
AuthSelect ....... \
where USERNAME = '%u at cust003.example.com'
.....
</AuthBy>
.....
</Handler>
See section 6.32 in the Radiator 3.11 reference manual ("doc/ref.html").
Hope that helps.
regards
Hugh
On 3 Feb 2005, at 22:06, Steve Shippa wrote:
> I'm not sure the config will help as I'm using RAdmin and everything
> (clients, users, etc) is stored in the db.
>
> All I'm trying to do is this:
>
> Customer signs up for my service, system generates the account # and
> puts it in the format like:
>
> cust001.example.com
> cust002.example.com
> cust003.example.com
> .
> .
> custXXX.example.com
>
> which I enter into the radclient table, defaultrealm column along with
> their nasidentifier, secret, etc, etc.
>
> So my customers don't have to remember steve at cust001.example.com or
> bill at cust010.example.com I want to allow them to log in as 'steve' or
> 'bill'. The way I read the docs, defaultrealm will add the realm to
> the username if none is present so just using 'steve' to log in from a
> specific nas would produce steve at cust001.example.com. This appears to
> be true in some cases. As the first part of the log shows below,
> 'Rewrote user name to steve at cust001.example.com', but further down,
> when the authentication takes place 'Query is: 'select PASS_WORD,
> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM,
> VALIDTO from RADUSERS where USERNAME='steve':', just "steve" is used
> and not the rewritten name. However, the entry into the
> authentication log inserts steve at cust001.example.com.
>
> I read in the docs (or online somewhere) that just 'User-Name' is
> passed through for authentication, but figured a RewriteUsername would
> allow me to change that, so I'm just looking for the correct
> RewriteUsername reg ex to use. Your suggestion below just includes
> the username and %W appears to be what I'm looking for, but how would
> you include that in reg ex?
>
> RewriteUsername s/^([^@]+)$/$1\{would like either
> defaultrealm or the value of %W here}
>
> Thanks,
> -Steve
>
> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
> *** Received from 198.4.3.77 port 1051 ....
> Code: Access-Request
> Identifier: 120
> Authentic:
> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.0.1.1
> NAS-Identifier = "wireless"
> User-Name = "steve"
> Service-Type = Framed-User
> NAS-Port = 253
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-0d-6a-1b"
> Calling-Station-Id = "00-02-6f-09-58-05"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><9><0>W<25><0><23><3><1><0>L<218><28>6<189><243>eDx{RD<227>i<12>A<22
> ><26><27><254>/<187><225><225><191><13>_<223>T@<190>Hz<128><130><2
> 42><236>l<7><4>6<206>_<204><139><155><193>S<24>yA$O<197>{<217><209>s<25
> 3>k<245><228><177>2<158><210>I<165><228>2<224><129>K<182>\8<133>
> Message-Authenticator =
> <137>:<189><198><6><207>,=ZkP<141><10><13>A<249>
>
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
> steve at cust001.example.com
> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
> steve, 10.0.1.1, 253
> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 87
> Thu Feb 3 12:37:51 2005: DEBUG: Response type 25
> Thu Feb 3 12:37:51 2005: DEBUG: EAP PEAP inner authentication request
> for anonymous
> Thu Feb 3 12:37:51 2005: DEBUG: PEAP Tunnelled request Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: 9<146><27>M)<252>H<244><154><200><232>6<248><10><158><172>
> Attributes:
> EAP-Message =
> <2><9><0><<26><2><9><0>;
> 1<236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><0><0>
> <0><0><0><0><129><206>K@<220><238><128>H<2
> 43><160><208><16><222><177><230><220>\}<141><210>?,<193><1><0>steve
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> User-Name = "anonymous"
> NAS-IP-Address = 10.0.1.1
> NAS-Identifier = "wireless"
> NAS-Port = 253
> Calling-Station-Id = "00-02-6f-09-58-05"
>
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler
> 'TunnelledByPEAP=1'
> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
> anonymous at cust001.example.com'
> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for ,
> 10.0.1.1, 253
> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 60
> Thu Feb 3 12:37:51 2005: DEBUG: Response type 26
> Thu Feb 3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 Packet dump:
> Code: Access-Request
> Identifier: UNDEF
> Authentic: <146>np><19><153>D\<250>nG<254><211>d<133><136>
> Attributes:
> User-Name = "steve"
> ConvertedFromEAPMSCHAPV2 = 1
> MS-CHAP2-Response =
> <1><0><236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><
> 0><0><0><0><0><0><129><206>K@<220><238><128>H<243><160><208>
> <16><222><177><230><220>\}<141><210>?,<193><1>
> MS-CHAP-Challenge =
> I<254><139><168><198><236><212><31><208>f<24><13><2>}<14><244>
>
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler
> 'ConvertedFromEAPMSCHAPV2=1'
> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
> steve at cust001.example.com
> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
> steve, 10.0.1.1,
> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.0.1.1' and NASPORT=0':
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
> Thu Feb 3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,
> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM,
> VALIDTO from RADUSERS where USERNAME='steve'':
> Thu Feb 3 12:37:51 2005: DEBUG: Radius::AuthRADMIN looks for match
> with steve
> Thu Feb 3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,
> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM,
> VALIDTO from RADUSERS where USERNAME='DEFAULT'':
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, No such
> user
> Thu Feb 3 12:37:51 2005: INFO: Access rejected for steve: No such user
> Thu Feb 3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 response
> Packet dump:
> Code: Access-Reject
> Identifier: UNDEF
> Authentic: <146>np><19><153>D\<250>nG<254><211>d<133><136>
> Attributes:
> Reply-Message = "Request Denied"
>
> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 1, EAP-MSCHAPV2 converted
> to Radius MSCHAPV2 and redespatched to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT,
> EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a
> Handler
> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
> anonymous at cust001.example.com: EAP-MSCHAPV2 converted to Radius
> MSCHAPV2 and redespatched to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 3, EAP PEAP inner
> authentication redespatched to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP
> PEAP inner authentication redespatched to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP
> PEAP inner authentication redespatched to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: Access challenged for
> steve at cust001.example.com: EAP PEAP inner authentication redespatched
> to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: Access challenged for
> steve at cust001.example.com: EAP PEAP inner authentication redespatched
> to a Handler
> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
> *** Sending to 198.4.3.77 port 1051 ....
> Code: Access-Challenge
> Identifier: 120
> Authentic:
> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
> Attributes:
> EAP-Message =
> <1><10><0>&<25><0><23><3><1><0><27><13><223>M<204>#<7><250><171><187><2
> 37><183>:<247><243><0><192><147><9><167>zw[t.<196><5>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
> *** Received from 198.4.3.77 port 1051 ....
> Code: Access-Request
> Identifier: 121
> Authentic: ge<223>`3U]U/R<9><22><135><145>y.
> Attributes:
> Framed-MTU = 1466
> NAS-IP-Address = 10.0.1.1
> NAS-Identifier = "wireless"
> User-Name = "steve"
> Service-Type = Framed-User
> NAS-Port = 253
> NAS-Port-Type = Ethernet
> NAS-Port-Id = "wl0"
> Called-Station-Id = "00-11-24-0d-6a-1b"
> Calling-Station-Id = "00-02-6f-09-58-05"
> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
> EAP-Message =
> <2><10><0>&<25><0><23><3><1><0><27><172><227><254><138>`P<147><162><175
> >wd<185><142>|T<19><195><218>r<179><181><129><15>{<242>Sd
> Message-Authenticator =
> <144><242><16>w<238><226><234>3k<164><250><129>;<191><235><22>
>
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
> steve at cust001.example.com
> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
> steve, 10.0.1.1, 253
> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 10, 38
> Thu Feb 3 12:37:51 2005: DEBUG: Response type 25
> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 1, PEAP Authentication
> Failure
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP
> Authentication Failure
> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP
> Authentication Failure
> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
> steve at cust001.example.com: PEAP Authentication Failure
> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
> steve at cust001.example.com: PEAP Authentication Failure
> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'insert into RADAUTHLOG
> (TIME_STAMP, USERNAME, TYPE, REASON) values (1107452271,
> 'steve at cust001.example.com', 0, 'PEAP Authentication Failure')':
> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
>
>
>
> Hugh Irvine wrote:
>
>>
>> Hello Steve -
>>
>> Its much easier to understand your questions if you include a copy of
>> the configuration file and a trace 4 showing what is happening.
>>
>> You should have a look at section 6.2 in the Radiator 3.11 reference
>> manual ("doc/ref.html") to see what special characters are available
>> for use in queries. In your case you might find %w to be useful?
>>
>> Can you explain exactly what you are wanting to do?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 2 Feb 2005, at 20:30, Steve Shippa wrote:
>>
>>> Right, that would add '@realm', however is there any way to add the
>>> "defaultrealm" which is different for each customer
>>> (cust001.example.com, cust002.example.com, cust00n.example.com) as
>>> I'm doing authentication with the same <Handler>
>>>
>>> Thanks,
>>> -Steve
>>>
>>> Mark O'Leary wrote:
>>>
>>>> I think the following would add "@realm" to the end of 'plain'
>>>> usernames:
>>>>
>>>> RewriteUsername s/^([^@]+)$/$1\@realm/
>>>>
>>>> M.
>>>>
>>>> --
>>>> Mark O'Leary, ITO (Networks)
>>>> Communications, Manchester Computing
>>>> mark at manchester.ac.uk
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: owner-radiator at open.com.au
>>>>> [mailto:owner-radiator at open.com.au] On Behalf Of Steve Shippa
>>>>> Sent: 02 February 2005 13:39
>>>>> To: radiator at open.com.au
>>>>> Subject: (RADIATOR) RewriteUsername help
>>>>>
>>>>> Can anyone tell me if it's possible (and if so, help with the
>>>>> regexp as I'm not too good at them) to use a RewriteUsername
>>>>> parameter to add the defaultrealm (i.e. cust001.example.com) to
>>>>> the username (i.e. steve)?
>>>>>
>>>>> I store usernames in my db as user at cust001.example.com,
>>>>> user at cust002.example.com, etc. My customers log into specific
>>>>> clients where I apply the defaultdomain of custXXX.example.com and
>>>>> while I see places in the log where user at custXXX.example.com is
>>>>> showing up, when the query to the db happens, it uses the NAS
>>>>> 'User-Name' and not user at custXXX.example.com
>>>>> (User-Name+defaultrealm). The log shows:
>>>>>
>>>>> Tue Feb 1 15:26:34 2005: DEBUG: Query is: 'select PASS_WORD,
>>>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>>>>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>>>>> Tue Feb 1 15:26:34 2005: DEBUG: Radius::AuthRADMIN looks for
>>>>> match with steve Tue Feb 1 15:26:34 2005: DEBUG: AuthBy RADMIN
>>>>> result: REJECT, No such user Tue Feb 1 15:26:34 2005: INFO:
>>>>> Access rejected for steve No such user
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Thanks,
>>>>> -Steve
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>> Announcements on radiator-announce at open.com.au To unsubscribe,
>>>>> email 'majordomo at open.com.au' with 'unsubscribe radiator' in the
>>>>> body of the message.
>>>>>
>>>>> --
>>>>> No virus found in this incoming message.
>>>>> Checked by AVG Anti-Virus.
>>>>> Version: 7.0.300 / Virus Database: 265.8.2 - Release Date:
>>>>> 28/01/2005
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list