(RADIATOR) RewriteUsername help

Hugh Irvine hugh at open.com.au
Fri Feb 4 00:06:22 CST 2005


Hello Steve -

BTW - following up on this I note the use of MS-CHAPv2 in the logs  
shown below.

You should be aware that it is not possible to use altered usernames  
with MS-CHAPv2 as the original username is part of the authentication  
process.

To do what you describe you will not be able to use MS-CHAPv2.

regards

Hugh


On 4 Feb 2005, at 08:38, Hugh Irvine wrote:

>
> Hello Steve -
>
> As the name implies, DefaultRealm will only add a realm suffix once.
>
> If your users are logging in without a realm and you want to do  
> multiple authentications with multiple suffixes, you will either need  
> to use multiple AuthBy RADMIN clauses, or use stored procedures in the  
> database to do the same thing.
>
> If you use multiple AuthBy clauses you can do something like this:
>
> # define Realm(s) or Handler(s)
>
> <Handler ...>
>
> 	AuthByPolicy ContinueUntilAccept
>
> 	<AuthBy RADMIN>
> 		.....
> 		AuthSelect ....... \
> 			where USERNAME = '%u at cust001.example.com'
> 		.....
> 	</AuthBy>
>
> 	<AuthBy RADMIN>
> 		.....
> 		AuthSelect ....... \
> 			where USERNAME = '%u at cust002.example.com'
> 		.....
> 	</AuthBy>
>
> 	<AuthBy RADMIN>
> 		.....
> 		AuthSelect ....... \
> 			where USERNAME = '%u at cust003.example.com'
> 		.....
> 	</AuthBy>
>
> 	.....
> </Handler>
>
>
> See section 6.32 in the Radiator 3.11 reference manual  
> ("doc/ref.html").
>
> Hope that helps.
>
> regards
>
> Hugh
>
>
> On 3 Feb 2005, at 22:06, Steve Shippa wrote:
>
>> I'm not sure the config will help as I'm using RAdmin and everything  
>> (clients, users, etc) is stored in the db.
>>
>> All I'm trying to do is this:
>>
>> Customer signs up for my service, system generates the account # and  
>> puts it in the format like:
>>
>> cust001.example.com
>> cust002.example.com
>> cust003.example.com
>> .
>> .
>> custXXX.example.com
>>
>> which I enter into the radclient table, defaultrealm column along  
>> with their nasidentifier, secret, etc, etc.
>>
>> So my customers don't have to remember steve at cust001.example.com or  
>> bill at cust010.example.com I want to allow them to log in as 'steve' or  
>> 'bill'.  The way I read the docs, defaultrealm will add the realm to  
>> the username if none is present so just using 'steve' to log in from  
>> a specific nas would produce steve at cust001.example.com.  This appears  
>> to be true in some cases.  As the first part of the log shows below,  
>> 'Rewrote user name to steve at cust001.example.com', but further down,  
>> when the authentication takes place 'Query is: 'select PASS_WORD,  
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,  
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve':', just  
>> "steve" is used and not the rewritten name.  However, the entry into  
>> the authentication log inserts steve at cust001.example.com.
>>
>> I read in the docs (or online somewhere) that just 'User-Name' is  
>> passed through for authentication, but figured a RewriteUsername  
>> would allow me to change that, so I'm just looking for the correct  
>> RewriteUsername reg ex to use.  Your suggestion below just includes  
>> the username and %W appears to be what I'm looking for, but how would  
>> you include that in reg ex?
>>
>> RewriteUsername              s/^([^@]+)$/$1\{would like either  
>> defaultrealm or the value of %W here}
>>
>> Thanks,
>>  -Steve
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
>> *** Received from 198.4.3.77 port 1051 ....
>> Code:       Access-Request
>> Identifier: 120
>> Authentic:   
>> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
>> Attributes:
>>        Framed-MTU = 1466
>>        NAS-IP-Address = 10.0.1.1
>>        NAS-Identifier = "wireless"
>>        User-Name = "steve"
>>        Service-Type = Framed-User
>>        NAS-Port = 253
>>        NAS-Port-Type = Ethernet
>>        NAS-Port-Id = "wl0"
>>        Called-Station-Id = "00-11-24-0d-6a-1b"
>>        Calling-Station-Id = "00-02-6f-09-58-05"
>>        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>>        EAP-Message =  
>> <2><9><0>W<25><0><23><3><1><0>L<218><28>6<189><243>eDx{RD<227>i<12>A<2 
>> 2><26><27><254>/<187><225><225><191><13>_<223>T@<190>Hz<128><130><2
>> 42><236>l<7><4>6<206>_<204><139><155><193>S<24>yA$O<197>{<217><209>s<2 
>> 53>k<245><228><177>2<158><210>I<165><228>2<224><129>K<182>\8<133>
>>        Message-Authenticator =  
>> <137>:<189><198><6><207>,=ZkP<141><10><13>A<249>
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to  
>> steve at cust001.example.com
>> Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for  
>> steve, 10.0.1.1, 253
>> Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE  
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 87
>> Thu Feb  3 12:37:51 2005: DEBUG: Response type 25
>> Thu Feb  3 12:37:51 2005: DEBUG: EAP PEAP inner authentication  
>> request for anonymous
>> Thu Feb  3 12:37:51 2005: DEBUG: PEAP Tunnelled request Packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  9<146><27>M)<252>H<244><154><200><232>6<248><10><158><172>
>> Attributes:
>>        EAP-Message =  
>> <2><9><0><<26><2><9><0>; 
>> 1<236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0><0><0 
>> ><0><0><0><0><129><206>K@<220><238><128>H<2
>> 43><160><208><16><222><177><230><220>\}<141><210>?,<193><1><0>steve
>>        Message-Authenticator =  
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>        User-Name = "anonymous"
>>        NAS-IP-Address = 10.0.1.1
>>        NAS-Identifier = "wireless"
>>        NAS-Port = 253
>>        Calling-Station-Id = "00-02-6f-09-58-05"
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler  
>> 'TunnelledByPEAP=1'
>> Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to  
>> anonymous at cust001.example.com'
>> Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for  
>> , 10.0.1.1, 253
>> Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE  
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 9, 60
>> Thu Feb  3 12:37:51 2005: DEBUG: Response type 26
>> Thu Feb  3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 Packet dump:
>> Code:       Access-Request
>> Identifier: UNDEF
>> Authentic:  <146>np><19><153>D\<250>nG<254><211>d<133><136>
>> Attributes:
>>        User-Name = "steve"
>>        ConvertedFromEAPMSCHAPV2 = 1
>>        MS-CHAP2-Response =  
>> <1><0><236><152><228><190>N+<17><204><18><216><129><135><245>5N@<0><0> 
>> <0><0><0><0><0><0><129><206>K@<220><238><128>H<243><160><208>
>> <16><222><177><230><220>\}<141><210>?,<193><1>
>>        MS-CHAP-Challenge =  
>> I<254><139><168><198><236><212><31><208>f<24><13><2>}<14><244>
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler  
>> 'ConvertedFromEAPMSCHAPV2=1'
>> Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to  
>> steve at cust001.example.com
>> Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for  
>> steve, 10.0.1.1,
>> Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE  
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0':
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb  3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,  
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,  
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>> Thu Feb  3 12:37:51 2005: DEBUG: Radius::AuthRADMIN looks for match  
>> with steve
>> Thu Feb  3 12:37:51 2005: DEBUG: Query is: 'select PASS_WORD,  
>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,  
>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='DEFAULT'':
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, No  
>> such user
>> Thu Feb  3 12:37:51 2005: INFO: Access rejected for steve: No such  
>> user
>> Thu Feb  3 12:37:51 2005: DEBUG: Converted EAP-MSCHAPV2 response  
>> Packet dump:
>> Code:       Access-Reject
>> Identifier: UNDEF
>> Authentic:  <146>np><19><153>D\<250>nG<254><211>d<133><136>
>> Attributes:
>>        Reply-Message = "Request Denied"
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 1, EAP-MSCHAPV2  
>> converted to Radius MSCHAPV2 and redespatched to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT,  
>> EAP-MSCHAPV2 converted to Radius MSCHAPV2 and redespatched to a  
>> Handler
>> Thu Feb  3 12:37:51 2005: INFO: Access rejected for  
>> anonymous at cust001.example.com: EAP-MSCHAPV2 converted to Radius  
>> MSCHAPV2 and redespatched to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 3, EAP PEAP inner  
>> authentication redespatched to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP  
>> PEAP inner authentication redespatched to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: CHALLENGE, EAP  
>> PEAP inner authentication redespatched to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: Access challenged for  
>> steve at cust001.example.com: EAP PEAP inner authentication redespatched  
>> to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: Access challenged for  
>> steve at cust001.example.com: EAP PEAP inner authentication redespatched  
>> to a Handler
>> Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
>> *** Sending to 198.4.3.77 port 1051 ....
>> Code:       Access-Challenge
>> Identifier: 120
>> Authentic:   
>> <154><186><243><248><31><23><26><208><214><19><182>0H}<130>e
>> Attributes:
>>        EAP-Message =  
>> <1><10><0>&<25><0><23><3><1><0><27><13><223>M<204>#<7><250><171><187>< 
>> 237><183>:<247><243><0><192><147><9><167>zw[t.<196><5>
>>        Message-Authenticator =  
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
>> *** Received from 198.4.3.77 port 1051 ....
>> Code:       Access-Request
>> Identifier: 121
>> Authentic:  ge<223>`3U]U/R<9><22><135><145>y.
>> Attributes:
>>        Framed-MTU = 1466
>>        NAS-IP-Address = 10.0.1.1
>>        NAS-Identifier = "wireless"
>>        User-Name = "steve"
>>        Service-Type = Framed-User
>>        NAS-Port = 253
>>        NAS-Port-Type = Ethernet
>>        NAS-Port-Id = "wl0"
>>        Called-Station-Id = "00-11-24-0d-6a-1b"
>>        Calling-Station-Id = "00-02-6f-09-58-05"
>>        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
>>        EAP-Message =  
>> <2><10><0>&<25><0><23><3><1><0><27><172><227><254><138>`P<147><162><17 
>> 5>wd<185><142>|T<19><195><218>r<179><181><129><15>{<242>Sd
>>        Message-Authenticator =  
>> <144><242><16>w<238><226><234>3k<164><250><129>;<191><235><22>
>>
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling request with Handler ''
>> Thu Feb  3 12:37:51 2005: DEBUG: Rewrote user name to  
>> steve at cust001.example.com
>> Thu Feb  3 12:37:51 2005: DEBUG: Logger_Session Deleting session for  
>> steve, 10.0.1.1, 253
>> Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'delete from RADONLINE  
>> where NASIDENTIFIER='10.0.1.1' and NASPORT=0253':
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with Radius::AuthRADMIN:
>> Thu Feb  3 12:37:51 2005: DEBUG: Handling with EAP: code 2, 10, 38
>> Thu Feb  3 12:37:51 2005: DEBUG: Response type 25
>> Thu Feb  3 12:37:51 2005: DEBUG: EAP result: 1, PEAP Authentication  
>> Failure
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP  
>> Authentication Failure
>> Thu Feb  3 12:37:51 2005: DEBUG: AuthBy RADMIN result: REJECT, PEAP  
>> Authentication Failure
>> Thu Feb  3 12:37:51 2005: INFO: Access rejected for  
>> steve at cust001.example.com: PEAP Authentication Failure
>> Thu Feb  3 12:37:51 2005: INFO: Access rejected for  
>> steve at cust001.example.com: PEAP Authentication Failure
>> Thu Feb  3 12:37:51 2005: DEBUG: do query is: 'insert into RADAUTHLOG  
>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1107452271,  
>> 'steve at cust001.example.com', 0, 'PEAP Authentication Failure')':
>> Thu Feb  3 12:37:51 2005: DEBUG: Packet dump:
>>
>>
>>
>> Hugh Irvine wrote:
>>
>>>
>>> Hello Steve -
>>>
>>> Its much easier to understand your questions if you include a copy  
>>> of the configuration file and a trace 4 showing what is happening.
>>>
>>> You should have a look at section 6.2 in the Radiator 3.11 reference  
>>> manual ("doc/ref.html") to see what special characters are available  
>>> for use in queries. In your case you might find %w to be useful?
>>>
>>> Can you explain exactly what you are wanting to do?
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Feb 2005, at 20:30, Steve Shippa wrote:
>>>
>>>> Right, that would add '@realm', however is there any way to add the  
>>>> "defaultrealm" which is different for each customer  
>>>> (cust001.example.com, cust002.example.com, cust00n.example.com) as  
>>>> I'm doing authentication with the same <Handler>
>>>>
>>>> Thanks,
>>>>  -Steve
>>>>
>>>> Mark O'Leary wrote:
>>>>
>>>>> I think the following would add "@realm" to the end of 'plain'  
>>>>> usernames:
>>>>>
>>>>> RewriteUsername s/^([^@]+)$/$1\@realm/
>>>>>
>>>>> M.
>>>>>
>>>>> -- 
>>>>> Mark O'Leary, ITO (Networks)
>>>>> Communications, Manchester Computing
>>>>> mark at manchester.ac.uk
>>>>>
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: owner-radiator at open.com.au  
>>>>>> [mailto:owner-radiator at open.com.au] On Behalf Of Steve Shippa
>>>>>> Sent: 02 February 2005 13:39
>>>>>> To: radiator at open.com.au
>>>>>> Subject: (RADIATOR) RewriteUsername help
>>>>>>
>>>>>> Can anyone tell me if it's possible (and if so, help with the  
>>>>>> regexp as I'm not too good at them) to use a RewriteUsername  
>>>>>> parameter to add the defaultrealm (i.e. cust001.example.com) to  
>>>>>> the username (i.e. steve)?
>>>>>>
>>>>>> I store usernames in my db as user at cust001.example.com,  
>>>>>> user at cust002.example.com, etc.  My customers log into specific  
>>>>>> clients where I apply the defaultdomain of custXXX.example.com  
>>>>>> and while I see places in the log where user at custXXX.example.com  
>>>>>> is showing up, when the query to the db happens, it uses the NAS  
>>>>>> 'User-Name' and not user at custXXX.example.com  
>>>>>> (User-Name+defaultrealm).  The log shows:
>>>>>>
>>>>>> Tue Feb  1 15:26:34 2005: DEBUG: Query is: 'select PASS_WORD,  
>>>>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,  
>>>>>> VALIDFROM, VALIDTO from RADUSERS where USERNAME='steve'':
>>>>>> Tue Feb  1 15:26:34 2005: DEBUG: Radius::AuthRADMIN looks for  
>>>>>> match with steve Tue Feb  1 15:26:34 2005: DEBUG: AuthBy RADMIN  
>>>>>> result: REJECT, No such user Tue Feb  1 15:26:34 2005: INFO:  
>>>>>> Access rejected for steve No such user
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> -Steve
>>>>>>
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>> Announcements on radiator-announce at open.com.au To unsubscribe,  
>>>>>> email 'majordomo at open.com.au' with 'unsubscribe radiator' in the  
>>>>>> body of the message.
>>>>>>
>>>>>> -- 
>>>>>> No virus found in this incoming message.
>>>>>> Checked by AVG Anti-Virus.
>>>>>> Version: 7.0.300 / Virus Database: 265.8.2 - Release Date:  
>>>>>> 28/01/2005
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive  
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive  
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive  
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list