[RADIATOR] RewriteUsername with EAP_26 PEAP not affecting %X EAP_Identity

Wed, 03 Jul 2019 03:24:38 -0700 

Hi,

I have a fun corner case again in latest Radiator-4.23-18

I have a setup doing TTLS EAP-MS-CHAPv2 and PEAP with EAP-MS-CHAPv2 with 
AuthSQL.

The current setup uses %X to pass a stripped EAP_Identity to the AuthSELECT

    SELECT password FROM table WHERE username=?
    AuthSelectParam %X

We also have another AuthBy which handles TTLS with non EAP MS-CHAPv2 where we 
use %w

    SELECT password FROM table WHERE username=?
    AuthSelectParam %w

This works fine but we also have some legacy users that we need to support that 
are prepending their windows domain to the username with DOMAIN\

As there is no matching Special in Utils.pm we tried doing this in the 
AuthBySQL with:

    RewriteUsername    s/^(.*)\\(.*)/$2/

Looking at the debug logs this seemed to correctly do the rewrite but the 
SELECT was passed the non rewritten EAP_Identity.

    Wed Jul  3 10:34:19 2019 518139: DEBUG: Handling with EAP: code 2, 13, 83, 
26
    Wed Jul  3 10:34:19 2019 518278: DEBUG: Response type 26
    Wed Jul  3 10:34:19 2019 518644: DEBUG: Rewrote EAP identity to user@realm
    Wed Jul  3 10:34:19 2019 519052: DEBUG: Connecting to ...
    Wed Jul  3 10:34:19 2019 539664: DEBUG: Query to 'dbi:XXX Connection id: 
0-00000': 'SELECT password FROM table WHERE username=?': domain\user
    Wed Jul  3 10:34:19 2019 544575: DEBUG: Radius::AuthSQL looks for match 
with 'user@realm' [anonymous]
    Wed Jul  3 10:34:19 2019 544780: DEBUG: Radius::AuthSQL REJECT: No such 
user: 'user@realm' [anonymous]

EAP_26.pm seems to use $context->{identity} and Util.pm uses 
$_[0]->{EAPIdentity} for %X. Not sure if these are the same.

We got our case fixed temporarily by modifying Util.pm as follows:

     #'X', sub { return unless $_[0]; my @n = split(/@/, $_[0]->{EAPIdentity}); 
$n[0] },
     'X', sub { return unless $_[0]; my $n = $_[0]->{EAPIdentity}; $n =~ 
s/^(.*)\\(.*)@(.*)/$2/; $n },

Is there any other way to get RewriteUsername to work with EAP_26 so that we 
can also use the result for the sql query ?

We have not yet started testing our other case with TTLS and non EAP protocols 
where we use %w currently.

I hope there is a clean way to do this.

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   [email protected]               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to