Hi all,
I'm using freeradius+LDAP for the PPPoE dialup access control for a
while. Lately I noticed there is weird issue whereby an user login with
username as "user=5c=5c=5c=5cu...@domain" and surprisingly freeradius
allow it to login although the actual username should be "u...@domain".
I've run radius in -X mode and capture the log for your reference as
below. In radiusd -X, we noticed server received Access-Request with
username "user=5c=5c=5c=5cu...@domain" but when reach to radius_xlat,
the uid will become "user" only and when it query my LDAP the account
for "user" is available and it will accept the access request. The
question is why "user=5C=5C=5C=5Cuser" = "user"? We try the username
with xC (i.e. 1C, 2C, 3C and so on...) and all are able to login because
radius will take as u...@domain. After login, the username in radacct
will become "user=5c=5c=5c=5cu...@domain" instead of "u...@domain". As
the consequence, the smart user may have multiple logins (by using
user=1C/2C/3C....) and the records in radacct is different and therefore
we will out of control for multiple login with single account. Any idea
to fix this?
rad_recv: Access-Request packet from host 127.0.0.1:32877, id=87, length=93
User-Name = *"user=5c=5c=5c=5cu...@domain"*
User-Password = "password"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rlm_ldap: performing user authorization for *user=5c=5c=5c=5cuser*
radius_xlat: * '(uid=user)'*
Regards
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
