I've got freeradius-2.1.10-5.el6.x86_64 on fully patched RHEL6.1. PEAP+MSCHAPv2 for wireless 802.1x, intending to federate with eduroam.
Within a day, I had the configuration I wanted, or so I thought. Empty stanzas for realms [email protected], ADS\user, and bare username get authenticated with mschapv2. Otherwise, regex realm *@*.* gets routed to the eduroam upstream radius hierarchy. I configured bufffered-sql for logging. It all "works." Except... I noticed that my entries appeared in SQL-land as ADS=0Dgraves. So, it seems that the ADS\ realm is recognized (successfully authenticated locally, not sent to eduroam), but not stripped. Worse, the \r in ADS\rgraves is interpreted as a carriage return by the time it gets to SQL-User-Name. I guess my conclusion is that I am very confused about where realms get configured, and which entries in the example config files are examples and which are metareferences to other code. Is the "realm ntdomain" that appears in modules/realm, with a commented-out reference in sites-available/default, an example of handling an example NT Domain named "ntdomain," or is it a directive analogous to format = suffix? I was sure of the former, but am less sure now. "suffix" is overloaded as both a format type and as a example realm that happens to be of type suffix, right? I'm pretty sure that I need ADS, carleton.edu, and null to be recognized in proxy.conf, to distinguish what goes to inner-tunnel from what does to eduroam upstream; and I am pretty sure that I need carleton.edu stripped in or before inner-tunnel. MSCHAPv2 will accept both ADS\username and username, so it's not critical to strip the former. However, it seems critical that ADS\ be stripped or more thoroughly escaped before or during transformation of sql_user_name to SQL-User-Name, because rendering ADS\rgraves as ADS=0Dgraves is just wrong. I am also very confused about whether and where I want "ignore-null = yes." It's mentioned in the shipped modules/realms but not in proxy.conf. The realm stanzas I have thus far are below. inner-tunnel, default, and buffered-sql are pretty much as shipped, except for the obvious DB configuration. realm ADS { format = prefix delimiter = '\\' accthost = LOCAL authhost = LOCAL } realm carleton.edu { format = suffix delimiter = "@" accthost = LOCAL authhost = LOCAL } realm "~.*\\..*" { { format = suffix delimiter = "@" accthost = eduroam1.ns.utk.edu authhost = eduroam1.ns.utk.edu secret = notpostedhere nostrip } # This could probably just be realm NULL realm DEFAULT { type = radius accthost = LOCAL authhost = LOCAL } At the point where I realized I was turning things on and off just to see if radiusd -X would run, I decided that I should stick with clear, simple things like sendmail.cf, and ask for pointers. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
