[RADIATOR] RewriteUsername with EAP_26 PEAP not affecting %X EAP_Identity

Christian Kratzer ck at cksoft.de
Wed Jul 3 10:24:14 UTC 2019 

Hi,

I have a fun corner case again in latest Radiator-4.23-18

I have a setup doing TTLS EAP-MS-CHAPv2 and PEAP with EAP-MS-CHAPv2 with AuthSQL.

The current setup uses %X to pass a stripped EAP_Identity to the AuthSELECT

     SELECT password FROM table WHERE username=?
     AuthSelectParam %X

We also have another AuthBy which handles TTLS with non EAP MS-CHAPv2 where we use %w

     SELECT password FROM table WHERE username=?
     AuthSelectParam %w

This works fine but we also have some legacy users that we need to support that are prepending their windows domain to the username with DOMAIN\

As there is no matching Special in Utils.pm we tried doing this in the AuthBySQL with:

     RewriteUsername    s/^(.*)\\(.*)/$2/

Looking at the debug logs this seemed to correctly do the rewrite but the SELECT was passed the non rewritten EAP_Identity.

     Wed Jul  3 10:34:19 2019 518139: DEBUG: Handling with EAP: code 2, 13, 83, 26
     Wed Jul  3 10:34:19 2019 518278: DEBUG: Response type 26
     Wed Jul  3 10:34:19 2019 518644: DEBUG: Rewrote EAP identity to user at realm
     Wed Jul  3 10:34:19 2019 519052: DEBUG: Connecting to ...
     Wed Jul  3 10:34:19 2019 539664: DEBUG: Query to 'dbi:XXX Connection id: 0-00000': 'SELECT password FROM table WHERE username=?': domain\user
     Wed Jul  3 10:34:19 2019 544575: DEBUG: Radius::AuthSQL looks for match with 'user at realm' [anonymous]
     Wed Jul  3 10:34:19 2019 544780: DEBUG: Radius::AuthSQL REJECT: No such user: 'user at realm' [anonymous]

EAP_26.pm seems to use $context->{identity} and Util.pm uses $_[0]->{EAPIdentity} for %X. Not sure if these are the same.

We got our case fixed temporarily by modifying Util.pm as follows:

      #'X', sub { return unless $_[0]; my @n = split(/@/, $_[0]->{EAPIdentity}); $n[0] },
      'X', sub { return unless $_[0]; my $n = $_[0]->{EAPIdentity}; $n =~ s/^(.*)\\(.*)@(.*)/$2/; $n },

Is there any other way to get RewriteUsername to work with EAP_26 so that we can also use the result for the sql query ?

We have not yet started testing our other case with TTLS and non EAP protocols where we use %w currently.

I hope there is a clean way to do this.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list