> > if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { Something's wrong with the regex here. From the config:
if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) { >From radiusd -X: User-Name = "host/dnps-caplap-4.col.missouri.edu" ... ? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -> FALSE I removed the ^ and $ anchors and got better results, but still not working: +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok Here's the code it's trying to execute. There must be something wrong with the update control section: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy-To-Realm := %{2} } } This looks related: WARNING: You set Proxy-To-Realm = %{2}, but the realm does not exist! Cancelling invalid proxy request. I changed the %{2} to $2, but it does basically the same thing: WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. Here's more context as to what it's doing. Basically, the User-Name and NT-Domain (nor realm) are getting changed into something usable by ntlm_auth. rad_recv: Access-Request packet from host 128.206.131.253 port 20007, id=9, length=209 NAS-Port-Id = "AP85/1" Calling-Station-Id = "00-90-4B-2F-80-B4" Called-Station-Id = "5C-E2-86-00-15-C0:Eddies Office" Service-Type = Framed-User EAP-Message = 0x0201002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475 User-Name = "host/dnps-caplap-4.col.missouri.edu" NAS-Port = 479 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 128.206.131.253 NAS-Identifier = "nortel" Message-Authenticator = 0xa6b9a66a7a99f19b8adc326da2ad0052 server campus-eap { +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) -> TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) -> TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/dnps-caplap-4.col.missouri.edu", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] expand: %{Client-IP-Address} -> 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu -> DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: %{Client-IP-Address} -> 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu -> DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -> (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 479 cli 00-90-4B-2F-80-B4) } # server campus-eap Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/dnps-caplap-4.col.missouri.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 43 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 43 Sending Access-Reject of id 9 to 128.206.131.253 port 20007 Waking up in 4.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html