Possible bug in unlang?

Mon, 28 Jul 2008 07:04:56 -0700

We've recently moved our servers to FreeRadius 2, and we've been having reports of some problems with our wireless service.
I investigated, and it seems the problem is the following stanza from the "inner-tunnel" config, which I just copied over from the default configs: 

post-auth {
        update outer.reply {
               User-Name = "%{request:User-Name}"
        }
}


...specifically, it seems that the xlat of this string is treating 
embedded "\" as escape characters.



For example; I was unable to stop the radius server, but a tshark 
capture of a failing user shows me (C: is radius client i.e. the NAS, S: 
is packet from the radius server); note the "\\" are tshark escaping the 
data, the actual username is "IC\nyshir"


C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge
C: access-request   IC\\nyshir
S: access-challenge IC\x0ayshir
C: access-request   IC\x0ayshir
S: access-reject


Note that the final "access-challenge" sends back IC<newline>ayshir; the 
AP then carries this over to the next request, which fails.



I've solved that problem by removing the "update outer.reply", which 
leads me to a 2nd question - given that the "eap" module does this 
anyway (and since it uses a dumb "memcpy", correctly) why is that unlang 
statement there in the sample configs? Is it necessary?



One final thing; can I suggest the attached patch (though it should 
probably escape the data, since it comes from the user)



--- freeradius-server-2.0.5/src/modules/rlm_eap/eap.c	2008-07-20 13:28:28.000000000 +0100
+++ freeradius-server-2.0.5/src/modules/rlm_eap/eap.c.new	2008-07-28 12:19:38.000000000 +0100
@@ -1025,7 +1025,7 @@
 			*/
                        if (strncmp(handler->identity, vp->vp_strvalue,
 				   MAX_STRING_LEN) != 0) {
-                               radlog(L_ERR, "rlm_eap: Identity does not match User-Name.  Authentication failed.");
+                               radlog(L_ERR, "rlm_eap: Identity %s does not match User-Name %s.  Authentication failed.", handler->identity, vp->vp_strvalue);
                                free(*eap_packet_p);
                                *eap_packet_p = NULL;
                                return NULL;

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to