We've recently moved our servers to FreeRadius 2, and we've been having
reports of some problems with our wireless service.
I investigated, and it seems the problem is the following stanza from
the "inner-tunnel" config, which I just copied over from the default
configs:
post-auth {
update outer.reply {
User-Name = "%{request:User-Name}"
}
}
...specifically, it seems that the xlat of this string is treating
embedded "\" as escape characters.
For example; I was unable to stop the radius server, but a tshark
capture of a failing user shows me (C: is radius client i.e. the NAS, S:
is packet from the radius server); note the "\\" are tshark escaping the
data, the actual username is "IC\nyshir"
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge
C: access-request IC\\nyshir
S: access-challenge IC\x0ayshir
C: access-request IC\x0ayshir
S: access-reject
Note that the final "access-challenge" sends back IC<newline>ayshir; the
AP then carries this over to the next request, which fails.
I've solved that problem by removing the "update outer.reply", which
leads me to a 2nd question - given that the "eap" module does this
anyway (and since it uses a dumb "memcpy", correctly) why is that unlang
statement there in the sample configs? Is it necessary?
One final thing; can I suggest the attached patch (though it should
probably escape the data, since it comes from the user)
--- freeradius-server-2.0.5/src/modules/rlm_eap/eap.c 2008-07-20 13:28:28.000000000 +0100
+++ freeradius-server-2.0.5/src/modules/rlm_eap/eap.c.new 2008-07-28 12:19:38.000000000 +0100
@@ -1025,7 +1025,7 @@
*/
if (strncmp(handler->identity, vp->vp_strvalue,
MAX_STRING_LEN) != 0) {
- radlog(L_ERR, "rlm_eap: Identity does not match User-Name. Authentication failed.");
+ radlog(L_ERR, "rlm_eap: Identity %s does not match User-Name %s. Authentication failed.", handler->identity, vp->vp_strvalue);
free(*eap_packet_p);
*eap_packet_p = NULL;
return NULL;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html