I'm playing around with CUI generation with FreeRADIUS 2.2.0 and discovered
something odd.
In policy.conf I've set cui_require_operator_name = 1 and cui_hash_key =
"4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a". As you can see it's a 32-character
string and it looks like a hash.
In radiusd -X output I get this:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.126.155 port 1814, id=17,
length=113
User-Name = "st...@diamond.ac.uk"
User-Password = "testing"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x80a453196d15a8e68ba13642ba725b24
Proxy-State = 0x30
Operator-Name = "1camford.ac.uk"
Chargeable-User-Identity = ""
Proxy-State = 0x313630
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++? if (!(User-Name =~ /@/))
?? Evaluating (User-Name =~ /@/) -> TRUE
? Converting !TRUE -> FALSE
++? if (!(User-Name =~ /@/)) -> FALSE
++? if (User-Name =~ /@$/)
? Evaluating (User-Name =~ /@$/) -> FALSE
++? if (User-Name =~ /@$/) -> FALSE
++? if (User-Name =~ /@.+?@/)
? Evaluating (User-Name =~ /@.+?@/) -> FALSE
++? if (User-Name =~ /@.+?@/) -> FALSE
++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/)
? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
++? if (User-Name =~ /@[\\.-]/)
? Evaluating (User-Name =~ /@[\\.-]/) -> FALSE
++? if (User-Name =~ /@[\\.-]/) -> FALSE
++? if (User-Name =~ /@.+?[\\.-]$/)
? Evaluating (User-Name =~ /@.+?[\\.-]$/) -> FALSE
++? if (User-Name =~ /@.+?[\\.-]$/) -> FALSE
++? if (User-Name =~ /@[^\\.]+$/)
? Evaluating (User-Name =~ /@[^\\.]+$/) -> FALSE
++? if (User-Name =~ /@[^\\.]+$/) -> FALSE
++? if (User-Name =~ /@.+?\\.\\./)
? Evaluating (User-Name =~ /@.+?\\.\\./) -> FALSE
++? if (User-Name =~ /@.+?\\.\\./) -> FALSE
++? if (User-Name =~ /@myabc\\.com$/i)
? Evaluating (User-Name =~ /@myabc\\.com$/i) -> FALSE
++? if (User-Name =~ /@myabc\\.com$/i) -> FALSE
++? if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i)
? Evaluating (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
++? if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -> FALSE
++? if (User-Name =~ /@\\.?ac\\.uk$/i)
? Evaluating (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE
++? if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE
++? if (User-Name =~ /@.+?\\.ax\\.uk$/i)
? Evaluating (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE
++? if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "diamond.ac.uk" for User-Name = "st...@diamond.ac.uk"
[suffix] Found realm "diamond.ac.uk"
[suffix] Adding Stripped-User-Name = "steve"
[suffix] Adding Realm = "diamond.ac.uk"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "testing"
[pap] Using clear text password "testing"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++- entering policy cui_postauth {...}
+++? if (FreeRadius-Proxied-To == 127.0.0.1)
(Attribute FreeRadius-Proxied-To was not found)
? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> FALSE
+++? if (FreeRadius-Proxied-To == 127.0.0.1) -> FALSE
+++- entering else else {...}
++++? if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity &&
!(reply:Chargeable-User-Identity) && (Operator-Name ||
!("${policy.cui_require_operator_name}")) )
expand: %{control:Proxy-To-Realm} ->
?? Evaluating ("%{control:Proxy-To-Realm}") -> FALSE
? Converting !FALSE -> TRUE
? Evaluating (Chargeable-User-Identity ) -> TRUE
?? Evaluating (reply:Chargeable-User-Identity) -> FALSE
? Converting !FALSE -> TRUE
?? Evaluating (Operator-Name ) -> TRUE
??? Skipping ("${policy.cui_require_operator_name}")
++++? if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity
&&!(reply:Chargeable-User-Identity) && (Operator-Name ||
!("${policy.cui_require_operator_name}")) ) -> TRUE
++++- entering if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity
&&!(reply:Chargeable-User-Identity) && (Operator-Name ||
!("${policy.cui_require_operator_name}")) ) {...}
expand:
%{md5:4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a%{User-Name}%{%{Operator-Name}:-}}
->
+++++[reply] returns noop
++++- if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity &&
!(reply:Chargeable-User-Identity) && (Operator-Name ||
!("${policy.cui_require_operator_name}")) ) returns noop
+++- else else returns noop
++- policy cui_postauth returns noop
As you can see, the expand: bit shows an empty value. Then I changed my
cui_hash_key to "01234567890abcdef01234567890abcdef" and it did the same.
However, when I set cui_hash_key to a hex string that was not 32 characters in
length ("abcdef" as an example), or a non-hex string of any length, it works
ok. So I'm guessing here that if the cui_hash_key happens to be a string that
is a potentially valid MD5 hash, the md5 operator in the CUI generation
statement does nothing or barfs.
Working fragment:
++++- entering if (!("%{control:Proxy-To-Realm}") && Chargeable-User-Identity
&&!(reply:Chargeable-User-Identity) && (Operator-Name ||
!("${policy.cui_require_operator_name}")) ) {...}
expand: %{Operator-Name} -> 1camford.ac.uk
expand: abcdef%{User-Name}%{%{Operator-Name}:-} ->
abcdefst...@diamond.ac.uk1camford.ac.uk
expand: %{md5:abcdef%{User-Name}%{%{Operator-Name}:-}} ->
330a6f12e7152cb8888ef6aaa30b1aed
+++++[reply] returns noop
If this is known already, then that's fine (because it means you'll probably
fix it in the future). Just thought I'd flag this up. In the meanwhile I've
changed my cui_hash_key to something non-hex to avoid this issue.
Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
