On Wed, 3 Jul 2019 at 13:24, Christian Kratzer <[email protected]> wrote:
Hello,
> I have a fun corner case again in latest Radiator-4.23-18
>
> I have a setup doing TTLS EAP-MS-CHAPv2 and PEAP with EAP-MS-CHAPv2 with
> AuthSQL.
>
> The current setup uses %X to pass a stripped EAP_Identity to the AuthSELECT
>
> SELECT password FROM table WHERE username=?
> AuthSelectParam %X
>
> We also have another AuthBy which handles TTLS with non EAP MS-CHAPv2 where
> we use %w
>
> SELECT password FROM table WHERE username=?
> AuthSelectParam %w
>
> This works fine but we also have some legacy users that we need to support
> that are prepending their windows domain to the username with DOMAIN\
>
> As there is no matching Special in Utils.pm we tried doing this in the
> AuthBySQL with:
>
> RewriteUsername s/^(.*)\\(.*)/$2/
is there some particular reason why you are using %X instead of %0? %0
would have the rewritten username in it. Got this tip from Heikki,
who's currently on holiday.
br,
// kh
> Looking at the debug logs this seemed to correctly do the rewrite but the
> SELECT was passed the non rewritten EAP_Identity.
>
> Wed Jul 3 10:34:19 2019 518139: DEBUG: Handling with EAP: code 2, 13,
> 83, 26
> Wed Jul 3 10:34:19 2019 518278: DEBUG: Response type 26
> Wed Jul 3 10:34:19 2019 518644: DEBUG: Rewrote EAP identity to
> user@realm
> Wed Jul 3 10:34:19 2019 519052: DEBUG: Connecting to ...
> Wed Jul 3 10:34:19 2019 539664: DEBUG: Query to 'dbi:XXX Connection id:
> 0-00000': 'SELECT password FROM table WHERE username=?': domain\user
> Wed Jul 3 10:34:19 2019 544575: DEBUG: Radius::AuthSQL looks for match
> with 'user@realm' [anonymous]
> Wed Jul 3 10:34:19 2019 544780: DEBUG: Radius::AuthSQL REJECT: No such
> user: 'user@realm' [anonymous]
>
> EAP_26.pm seems to use $context->{identity} and Util.pm uses
> $_[0]->{EAPIdentity} for %X. Not sure if these are the same.
>
> We got our case fixed temporarily by modifying Util.pm as follows:
>
> #'X', sub { return unless $_[0]; my @n = split(/@/,
> $_[0]->{EAPIdentity}); $n[0] },
> 'X', sub { return unless $_[0]; my $n = $_[0]->{EAPIdentity}; $n =~
> s/^(.*)\\(.*)@(.*)/$2/; $n },
>
> Is there any other way to get RewriteUsername to work with EAP_26 so that we
> can also use the result for the sql query ?
>
> We have not yet started testing our other case with TTLS and non EAP
> protocols where we use %w currently.
>
> I hope there is a clean way to do this.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
