(RADIATOR) RewriteUsername help
Hugh Irvine
hugh at open.com.au
Fri Feb 4 00:06:22 CST 2005
Hello Steve -
BTW - following up on this I note the use of MS-CHAPv2 in the logs
shown below.
You should be aware that it is not possible to use altered usernames
with MS-CHAPv2 as the original username is part of the authentication
process.
To do what you describe you will not be able to use MS-CHAPv2.
regards
Hugh
On 4 Feb 2005, at 08:38, Hugh Irvine wrote:
>
> Hello Steve -
>
> As the name implies, DefaultRealm will only add a realm suffix once.
>
> If your users are logging in without a realm and you want to do
> multiple authentications with multiple suffixes, you will either need
> to use multiple AuthBy RADMIN clauses, or use stored procedures in the
> database to do the same thing.
>
> If you use multiple AuthBy clauses you can do something like this:
>
> # define Realm(s) or Handler(s)
>
> <Handler ...>
>
> AuthByPolicy ContinueUntilAccept
>
> <AuthBy RADMIN>
> .....
> AuthSelect ....... \
> where USERNAME = '%u at cust001.example.com'
> .....
> </AuthBy>
>
> <AuthBy RADMIN>
> .....
> AuthSelect ....... \
> where USERNAME = '%u at cust002.example.com'
> .....
> </AuthBy>
>
> <AuthBy RADMIN>
> .....
> AuthSelect ....... \
> where USERNAME = '%u at cust003.example.com'
> .....
> </AuthBy>
>
> .....
> </Handler>
>
>
> See section 6.32 in the Radiator 3.11 reference manual
> ("doc/ref.html").
>
> Hope that helps.
>
> regards
>
> Hugh
>
>
> On 3 Feb 2005, at 22:06, Steve Shippa wrote:
>
>> I'm not sure the config will help as I'm using RAdmin and everything
>> (clients, users, etc) is stored in the db.
>>
>> All I'm trying to do is this:
>>
>> Customer signs up for my service, system generates the account # and
>> puts it in the format like:
>>
>> cust001.example.com
>> cust002.example.com
>> cust003.example.com
>> .
>> .
>> custXXX.example.com
>>
>> which I enter into the radclient table, defaultrealm column along
>> with their nasidentifier, secret, etc, etc.
>>
>> So my customers don't have to remember steve at cust001.example.com or
>> bill at cust010.example.com I want to allow them to log in as 'steve' or
>> 'bill'. The way I read the docs, defaultrealm will add the realm to
>> the username if none is present so just using 'steve' to log in from
>> a specific nas would produce steve at cust001.example.com. This appears
>> to be true in some cases. As the first part of the log shows below,
>> 'Rewrote user name to steve at cust001.example.com', but further down,
>> when the authentication takes place 'Query is: 'select PASS_WORD,
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve':', just
>> "steve" is used and not the rewritten name. However, the entry into
>> the authentication log inserts steve at cust001.example.com.
>>
>> I read in the docs (or online somewhere) that just 'User-Name' is
>> passed through for authentication, but figured a RewriteUsername
>> would allow me to change that, so I'm just looking for the correct
>> RewriteUsername reg ex to use. Your suggestion below just includes
>> the username and %W appears to be what I'm looking for, but how would
>> you include that in reg ex?
>>
>> RewriteUsername s/^([^@]+)$/$1\{would like either
>> defaultrealm or the value of %W here}
>>
>> Thanks,
>> -Steve
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
>> *** Received from 198.4.3.77 port 1051 ....
>> Code: Access-Request
>> Identifier: 120
>> Authentic:
>> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
>> Attributes:
>> Framed-MTU = 1466
>> NAS-IP-Address = 10.0.1.1
>> NAS-Identifier = "wireless"
>> User-Name = "steve"
>> Service-Type = Framed-User
>> NAS-Port = 253
>> NAS-Port-Type = Ethernet
>> NAS-Port-Id = "wl0"
>> Called-Station-Id = "00-11-24-0d-6a-1b"
>> Calling-Station-Id = "00-02-6f-09-58-05"
>> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>> EAP-Message =
>> <2><9><0>W<25><0><23><3><1><0>L<218><28>6<189><243>eDx{RD<227>i<12>A<2
>> 2><26><27><254>/<187><225><225><191><13>_<223>T@<190>Hz<128><130><2
>> 42><236>l<7><4>6<206>_<204><139><155><193>S<24>yA$O<197>{<217><209>s<2
>> 53>k<245><228><177>2<158><210>I<165><228>2<224><129>K<182>\8<133>
>> Message-Authenticator =
>> <137>:<189><198><6><207>,=ZkP<141><10><13>A<249>
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
>> steve at cust001.example.com
>> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
>> steve, 10.0.1.1, 253
>> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 87
>> Thu Feb 3 12:37:51 2005: DEBUG: Response type 25
>> Thu Feb 3 12:37:51 2005: DEBUG: EAP PEAP inner authentication
>> request for anonymous
>> Thu Feb 3 12:37:51 2005: DEBUG: PEAP Tunnelled request Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: 9<146><27>M)<252>H<244><154><200><232>6<248><10><158><172>
>> Attributes:
>> EAP-Message =
>> <2><9><0><<26><2><9><0>;
>> 1<236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><0><0
>> ><0><0><0><0><129><206>K@<220><238><128>H<2
>> 43><160><208><16><222><177><230><220>\}<141><210>?,<193><1><0>steve
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> User-Name = "anonymous"
>> NAS-IP-Address = 10.0.1.1
>> NAS-Identifier = "wireless"
>> NAS-Port = 253
>> Calling-Station-Id = "00-02-6f-09-58-05"
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler
>> 'TunnelledByPEAP=1'
>> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
>> anonymous at cust001.example.com'
>> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
>> , 10.0.1.1, 253
>> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 60
>> Thu Feb 3 12:37:51 2005: DEBUG: Response type 26
>> Thu Feb 3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 Packet dump:
>> Code: Access-Request
>> Identifier: UNDEF
>> Authentic: <146>np><19><153>D\<250>nG<254><211>d<133><136>
>> Attributes:
>> User-Name = "steve"
>> ConvertedFromEAPMSCHAPV2 = 1
>> MS-CHAP2-Response =
>> <1><0><236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0>
>> <0><0><0><0><0><0><129><206>K@<220><238><128>H<243><160><208>
>> <16><222><177><230><220>\}<141><210>?,<193><1>
>> MS-CHAP-Challenge =
>> I<254><139><168><198><236><212><31><208>f<24><13><2>}<14><244>
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler
>> 'ConvertedFromEAPMSCHAPV2=1'
>> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
>> steve at cust001.example.com
>> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
>> steve, 10.0.1.1,
>> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0':
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb 3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>> Thu Feb 3 12:37:51 2005: DEBUG: Radius::AuthRADMIN looks for match
>> with steve
>> Thu Feb 3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='DEFAULT'':
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, No
>> such user
>> Thu Feb 3 12:37:51 2005: INFO: Access rejected for steve: No such
>> user
>> Thu Feb 3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 response
>> Packet dump:
>> Code: Access-Reject
>> Identifier: UNDEF
>> Authentic: <146>np><19><153>D\<250>nG<254><211>d<133><136>
>> Attributes:
>> Reply-Message = "Request Denied"
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 1, EAP-MSCHAPV2
>> converted to Radius MSCHAPV2 and redespatched to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT,
>> EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a
>> Handler
>> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
>> anonymous at cust001.example.com: EAP-MSCHAPV2 converted to Radius
>> MSCHAPV2 and redespatched to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 3, EAP PEAP inner
>> authentication redespatched to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP
>> PEAP inner authentication redespatched to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP
>> PEAP inner authentication redespatched to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: Access challenged for
>> steve at cust001.example.com: EAP PEAP inner authentication redespatched
>> to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: Access challenged for
>> steve at cust001.example.com: EAP PEAP inner authentication redespatched
>> to a Handler
>> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
>> *** Sending to 198.4.3.77 port 1051 ....
>> Code: Access-Challenge
>> Identifier: 120
>> Authentic:
>> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
>> Attributes:
>> EAP-Message =
>> <1><10><0>&<25><0><23><3><1><0><27><13><223>M<204>#<7><250><171><187><
>> 237><183>:<247><243><0><192><147><9><167>zw[t.<196><5>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
>> *** Received from 198.4.3.77 port 1051 ....
>> Code: Access-Request
>> Identifier: 121
>> Authentic: ge<223>`3U]U/R<9><22><135><145>y.
>> Attributes:
>> Framed-MTU = 1466
>> NAS-IP-Address = 10.0.1.1
>> NAS-Identifier = "wireless"
>> User-Name = "steve"
>> Service-Type = Framed-User
>> NAS-Port = 253
>> NAS-Port-Type = Ethernet
>> NAS-Port-Id = "wl0"
>> Called-Station-Id = "00-11-24-0d-6a-1b"
>> Calling-Station-Id = "00-02-6f-09-58-05"
>> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>> EAP-Message =
>> <2><10><0>&<25><0><23><3><1><0><27><172><227><254><138>`P<147><162><17
>> 5>wd<185><142>|T<19><195><218>r<179><181><129><15>{<242>Sd
>> Message-Authenticator =
>> <144><242><16>w<238><226><234>3k<164><250><129>;<191><235><22>
>>
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb 3 12:37:51 2005: DEBUG: Rewrote user name to
>> steve at cust001.example.com
>> Thu Feb 3 12:37:51 2005: DEBUG: Logger_Session Deleting session for
>> steve, 10.0.1.1, 253
>> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb 3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 10, 38
>> Thu Feb 3 12:37:51 2005: DEBUG: Response type 25
>> Thu Feb 3 12:37:51 2005: DEBUG: EAP result: 1, PEAP Authentication
>> Failure
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP
>> Authentication Failure
>> Thu Feb 3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP
>> Authentication Failure
>> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
>> steve at cust001.example.com: PEAP Authentication Failure
>> Thu Feb 3 12:37:51 2005: INFO: Access rejected for
>> steve at cust001.example.com: PEAP Authentication Failure
>> Thu Feb 3 12:37:51 2005: DEBUG: do query is: 'insert into RADAUTHLOG
>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1107452271,
>> 'steve at cust001.example.com', 0, 'PEAP Authentication Failure')':
>> Thu Feb 3 12:37:51 2005: DEBUG: Packet dump:
>>
>>
>>
>> Hugh Irvine wrote:
>>
>>>
>>> Hello Steve -
>>>
>>> Its much easier to understand your questions if you include a copy
>>> of the configuration file and a trace 4 showing what is happening.
>>>
>>> You should have a look at section 6.2 in the Radiator 3.11 reference
>>> manual ("doc/ref.html") to see what special characters are available
>>> for use in queries. In your case you might find %w to be useful?
>>>
>>> Can you explain exactly what you are wanting to do?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Feb 2005, at 20:30, Steve Shippa wrote:
>>>
>>>> Right, that would add '@realm', however is there any way to add the
>>>> "defaultrealm" which is different for each customer
>>>> (cust001.example.com, cust002.example.com, cust00n.example.com) as
>>>> I'm doing authentication with the same <Handler>
>>>>
>>>> Thanks,
>>>> -Steve
>>>>
>>>> Mark O'Leary wrote:
>>>>
>>>>> I think the following would add "@realm" to the end of 'plain'
>>>>> usernames:
>>>>>
>>>>> RewriteUsername s/^([^@]+)$/$1\@realm/
>>>>>
>>>>> M.
>>>>>
>>>>> --
>>>>> Mark O'Leary, ITO (Networks)
>>>>> Communications, Manchester Computing
>>>>> mark at manchester.ac.uk
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: owner-radiator at open.com.au
>>>>>> [mailto:owner-radiator at open.com.au] On Behalf Of Steve Shippa
>>>>>> Sent: 02 February 2005 13:39
>>>>>> To: radiator at open.com.au
>>>>>> Subject: (RADIATOR) RewriteUsername help
>>>>>>
>>>>>> Can anyone tell me if it's possible (and if so, help with the
>>>>>> regexp as I'm not too good at them) to use a RewriteUsername
>>>>>> parameter to add the defaultrealm (i.e. cust001.example.com) to
>>>>>> the username (i.e. steve)?
>>>>>>
>>>>>> I store usernames in my db as user at cust001.example.com,
>>>>>> user at cust002.example.com, etc. My customers log into specific
>>>>>> clients where I apply the defaultdomain of custXXX.example.com
>>>>>> and while I see places in the log where user at custXXX.example.com
>>>>>> is showing up, when the query to the db happens, it uses the NAS
>>>>>> 'User-Name' and not user at custXXX.example.com
>>>>>> (User-Name+defaultrealm). The log shows:
>>>>>>
>>>>>> Tue Feb 1 15:26:34 2005: DEBUG: Query is: 'select PASS_WORD,
>>>>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>>>>>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>>>>>> Tue Feb 1 15:26:34 2005: DEBUG: Radius::AuthRADMIN looks for
>>>>>> match with steve Tue Feb 1 15:26:34 2005: DEBUG: AuthBy RADMIN
>>>>>> result: REJECT, No such user Tue Feb 1 15:26:34 2005: INFO:
>>>>>> Access rejected for steve No such user
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> -Steve
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au To unsubscribe,
>>>>>> email 'majordomo at open.com.au' with 'unsubscribe radiator' in the
>>>>>> body of the message.
>>>>>>
>>>>>> --
>>>>>> No virus found in this incoming message.
>>>>>> Checked by AVG Anti-Virus.
>>>>>> Version: 7.0.300 / Virus Database: 265.8.2 - Release Date:
>>>>>> 28/01/2005
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list