[RADIATOR] RewriteUsername with EAP_26 PEAP not affecting %X EAP_Identity

Karri Huhtanen kh at open.com.au
Wed Jul 17 09:12:33 UTC 2019 

On Wed, 3 Jul 2019 at 13:24, Christian Kratzer <ck at cksoft.de> wrote:

Hello,

> I have a fun corner case again in latest Radiator-4.23-18
>
> I have a setup doing TTLS EAP-MS-CHAPv2 and PEAP with EAP-MS-CHAPv2 with AuthSQL.
>
> The current setup uses %X to pass a stripped EAP_Identity to the AuthSELECT
>
>      SELECT password FROM table WHERE username=?
>      AuthSelectParam %X
>
> We also have another AuthBy which handles TTLS with non EAP MS-CHAPv2 where we use %w
>
>      SELECT password FROM table WHERE username=?
>      AuthSelectParam %w
>
> This works fine but we also have some legacy users that we need to support that are prepending their windows domain to the username with DOMAIN\
>
> As there is no matching Special in Utils.pm we tried doing this in the AuthBySQL with:
>
>      RewriteUsername    s/^(.*)\\(.*)/$2/

is there some particular reason why you are using %X instead of %0? %0
would have the rewritten username in it. Got this tip from Heikki,
who's currently on holiday.

br,

// kh

> Looking at the debug logs this seemed to correctly do the rewrite but the SELECT was passed the non rewritten EAP_Identity.
>
>      Wed Jul  3 10:34:19 2019 518139: DEBUG: Handling with EAP: code 2, 13, 83, 26
>      Wed Jul  3 10:34:19 2019 518278: DEBUG: Response type 26
>      Wed Jul  3 10:34:19 2019 518644: DEBUG: Rewrote EAP identity to user at realm
>      Wed Jul  3 10:34:19 2019 519052: DEBUG: Connecting to ...
>      Wed Jul  3 10:34:19 2019 539664: DEBUG: Query to 'dbi:XXX Connection id: 0-00000': 'SELECT password FROM table WHERE username=?': domain\user
>      Wed Jul  3 10:34:19 2019 544575: DEBUG: Radius::AuthSQL looks for match with 'user at realm' [anonymous]
>      Wed Jul  3 10:34:19 2019 544780: DEBUG: Radius::AuthSQL REJECT: No such user: 'user at realm' [anonymous]
>
> EAP_26.pm seems to use $context->{identity} and Util.pm uses $_[0]->{EAPIdentity} for %X. Not sure if these are the same.
>
> We got our case fixed temporarily by modifying Util.pm as follows:
>
>       #'X', sub { return unless $_[0]; my @n = split(/@/, $_[0]->{EAPIdentity}); $n[0] },
>       'X', sub { return unless $_[0]; my $n = $_[0]->{EAPIdentity}; $n =~ s/^(.*)\\(.*)@(.*)/$2/; $n },
>
> Is there any other way to get RewriteUsername to work with EAP_26 so that we can also use the result for the sql query ?
>
> We have not yet started testing our other case with TTLS and non EAP protocols where we use %w currently.
>
> I hope there is a clean way to do this.

More information about the radiator mailing list