Well,
As Alan surmised
<Handler>
RewriteUsername s/^([^@]+).*/$1/
AuthLog paplog
AuthBy osxAuth
PostProcessingHook file:"%D/eap_acct_username.pl"
</Handler>
With a test radpwtst of
root@eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx
-user [email protected] -password yyyy -auth_port 1812 -noacct
the rewrite works and things are happy with an access accept being returned.
However, with
root@eduroam-1-east:/var/log/radius# radpwtst -s 150.237.85.225 -secret xxxx
-user [email protected] -password yyyy -auth_port 1812 -noacct -mschapv2
although it works in that it does rewrite the username stripping off the realm
and giving, in this case alexsharaz instead of alexsharaz.info, authentication
fails further down the food chain
Which I guess is something o do with the mschapv2 and the realm in the
original request
Mon Apr 30 17:08:32 2012: DEBUG: ApplePasswordServer read: -AUTHERR SASL -13
Mon Apr 30 17:08:32 2012: ERR: ApplePasswordServer, bad response from AUTH
MS-CHAPv2 command: -AUTHERR SASL -13
Mon Apr 30 17:08:32 2012: DEBUG: Radius::AuthLDAP_APS REJECT: Bad Password:
alexsharaz [[email protected]]
Mon Apr 30 17:08:32 2012: DEBUG: No entries for DEFAULT found in LDAP database
Mon Apr 30 17:08:32 2012: DEBUG: AuthBy LDAP_APS result: REJECT, Bad Password
Mon Apr 30 17:08:32 2012: INFO: Access rejected for alexsharaz: Bad Password
Mon Apr 30 17:08:32 2012: DEBUG: Packet dump:
*** Sending reply to RadSec ipv6:2604:6600:1092::216:3eff:febf:b6ed:48384 ....
Code: Access-Reject
Identifier: 8
Authentic: <131><23>(<183>cl<228>SM<157><201><223><223>'P<178>
Attributes:
Reply-Message = "Request Denied"
Proxy-State = OSC-Extended-Id=8
The only difference in the
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of alan buxey
Sent: Monday, April 30, 2012 4:52 PM
To: Alex Sharaz
Cc: [email protected]
Subject: Re: [RADIATOR] Rewrite userna functionality for use in ldap_aps authby
Hi,
> However, what I actually want to do is send a usename with a realm of
> sharaz.info and have the realm stripped out of the user name. When I auth
> to radiator on a windoze platform I can use
RewriteUsername can be called in several places, globally, in the client
section or in the handler.
I cant recall if AuthBy_LDAP2 (of which LDAP_APS is a subset of) can do
RewriteUsername so instead you can have a call to rewrite the username in the
client/server section instead.
...or call a preauthhook in the handler ?
alan
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator**************************************************
To view the terms under which this email is
distributed, please go to
http://www2.hull.ac.uk/legal/disclaimer.aspx
**************************************************
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
