I've found a possible logic error in freeradius-0.8.1 in that the Group check in the users file doesn't seem to check for the Strip-User-Name function.
# users file
DEFAULT Group == ISDN2, Auth-Type := System, Hint == ISDN2
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500,
Framed-Routing = None,
Port-Limit = 2,
Ascend-Maximum-Channels = 2,
Reply-Message = "ISDN2 w/ group and hint"
# ISDN Bonded Channel DEFAULT Group == ISDN2, Auth-Type := System Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Routing = None, Port-Limit = 2, Ascend-Maximum-Channels = 2, Reply-Message = "ISDN2 w/ group -- no Strip-User-Name"
# end users file
# hints file
DEFAULT Suffix = *I2, Strip-User-Name = Yes
Hint = "ISDN2"# end hints file
Listening on IP address *, ports 1645/udp and 1646/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 66.181.128.12:2441, id=148, length=55
User-Name = "chains*I2"
User-Password = "***"
NAS-Port-Type = ISDN
modcall: entering group authorize
hints: Matched DEFAULT at 3
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [chains*I2/***] (from client gateway port 0)
rad_lowerpair: Stripped-User-Name now 'chains'
rad_rmspace_pair: Stripped-User-Name now 'chains'
modcall: entering group authorize
hints: Matched DEFAULT at 3
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns ok
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [chains*I2/***] (from client gateway port 0)
Sending Access-Reject of id 148 to 66.181.128.12:2441
Finished request 0
Going to the next request
---8<---8<---
However... user chains is in the ISDN2 group...
Listening on IP address *, ports 1645/udp and 1646/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 66.181.128.12:2450, id=151, length=52
User-Name = "chains"
User-Password = "***"
NAS-Port-Type = ISDN
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
HASH: user chains found in hashtable bucket 26250
HASH: matched user chains in group ISDN2
HASH: user chains found in hashtable bucket 26250
HASH: matched user chains in group ISDN2
users: Matched DEFAULT at 14
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
HASH: user chains found in hashtable bucket 26250
modcall[authenticate]: module "unix" returns ok
modcall: group authenticate returns ok
radius_xlat: 'ISDN2 w/ group -- no Strip-User-Name'
Login OK: [chains] (from client gateway port 0)
Sending Access-Accept of id 151 to 66.181.128.12:2450
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Routing = None
Port-Limit = 2
Ascend-Maximum-Channels = 2
Reply-Message = "ISDN2 w/ group -- no Strip-User-Name"
Finished request 0
Going to the next request---8<---8<---
And if I add the following to my passwd and group files;
/etc/passwd: chains*I2:!!:50000:100:test:/dev/null:/bin/false
/etc/group: ISDN2::519:chains,chains*I2
... I get the following (please note that the passwd supplied is the one for user "chains");
Listening on IP address *, ports 1645/udp and 1646/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 66.181.128.12:2448, id=149, length=55
User-Name = "chains*I2"
User-Password = "***"
NAS-Port-Type = ISDN
modcall: entering group authorize
hints: Matched DEFAULT at 3
modcall[authorize]: module "preprocess" returns ok
HASH: user chains*I2 found in hashtable bucket 78517
HASH: matched user chains*I2 in group ISDN2
users: Matched DEFAULT at 3
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
HASH: user chains found in hashtable bucket 26250
modcall[authenticate]: module "unix" returns ok
modcall: group authenticate returns ok
radius_xlat: 'ISDN2 w/ group and hint'
Login OK: [chains*I2] (from client gateway port 0)
Sending Access-Accept of id 149 to 66.181.128.12:2448
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Routing = None
Port-Limit = 2
Ascend-Maximum-Channels = 2
Reply-Message = "ISDN2 w/ group and hint"
Finished request 0
Going to the next request---8<---8<---
Does anyone have either a patch or a way to work around this with both a user suffix and group check?
Larry M. Smith
-- If responding directly to me please use sysadmin -at- ticon.net
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
