Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR 3.0.5: filter_username filter_username Rejected: Realm does not have at least one dot separator #842

Closed
Schnappatmer opened this issue Nov 26, 2014 · 4 comments
Closed

FR 3.0.5: filter_username filter_username Rejected: Realm does not have at least one dot separator #842

Schnappatmer opened this issue Nov 26, 2014 · 4 comments

Comments

@Schnappatmer
Copy link

I just upgradet to version 3.0.5

I got the error message with username e.g. "anonymous@uni-wuppertal.de"

Rejected: Realm does not have at least one dot separator.

FR Version 3.0.4 works flawless (output at the end)

FR 3.0.5

Wed Nov 26 09:50:16 2014 : Info: Ready to process requests
Wed Nov 26 09:50:53 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 09:50:53 2014 : Debug: Thread 1 got semaphore
Wed Nov 26 09:50:53 2014 : Debug: Thread 1 handling request 0, (1 handled so far)
Wed Nov 26 09:50:53 2014 : Debug: (0) Received Access-Request Id 0 from 192.168.178.129:54873 to 192.168.177.136:1812 length 163
Wed Nov 26 09:50:53 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 09:50:53 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 09:50:53 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 09:50:53 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 09:50:53 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 09:50:53 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 09:50:53 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 09:50:53 2014 : Debug: (0)   Message-Authenticator = 0xedb6f3e146253542d68a616515324363
Wed Nov 26 09:50:53 2014 : Debug: (0) session-state: No State attribute
Wed Nov 26 09:50:53 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:50:53 2014 : Debug: (0)   authorize {
Wed Nov 26 09:50:53 2014 : Debug: (0)     policy filter_username {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (!User-Name) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (!User-Name)  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ / /) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ / /)  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /@.*@/ ) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ ) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> TRUE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   {
Wed Nov 26 09:50:53 2014 : Debug: (0)         update reply {
Wed Nov 26 09:50:53 2014 : Debug: (0)           Reply-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Nov 26 09:50:53 2014 : Debug: (0)         } # update reply = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)         modsingle[authorize]: calling reject (rlm_always) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)         modsingle[authorize]: returned from reject (rlm_always) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)         [reject] = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)       } # if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)     } # policy filter_username = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)   } # authorize = reject
Wed Nov 26 09:50:53 2014 : Auth: (0) Invalid user: [anonymous@uni-wuppertal.de] (from client Alcatraz port 0 cli 70-6F-6C-69-73-68)
Wed Nov 26 09:50:53 2014 : Debug: (0) Using Post-Auth-Type Reject
Wed Nov 26 09:50:53 2014 : Debug: (0) # Executing group from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:50:53 2014 : Debug: (0)   Post-Auth-Type REJECT {
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0
Wed Nov 26 09:50:53 2014 : Debug: %{User-Name}
Wed Nov 26 09:50:53 2014 : Debug: Parsed xlat tree:
Wed Nov 26 09:50:53 2014 : Debug: attribute --> User-Name
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: EXPAND %{User-Name}
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject:    --> anonymous@uni-wuppertal.de
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Reply-Message += 'Rejected: Realm does not have at least one dot separator' allowed by Reply-Message =* ''
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Attribute "Reply-Message" allowed by 1 rules, disallowed by 0 rules
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)     [attr_filter.access_reject] = updated
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0) eap: Request was previously rejected, inserting EAP-Failure
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)     [eap] = updated
Wed Nov 26 09:50:53 2014 : Debug: (0)     policy remove_reply_message_if_eap {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message)  -> TRUE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message)  {
Wed Nov 26 09:50:53 2014 : Debug: (0)         update reply {
Wed Nov 26 09:50:53 2014 : Debug: (0)           Reply-Message !* ANY
Wed Nov 26 09:50:53 2014 : Debug: (0)         } # update reply = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)       } # if (reply:EAP-Message && reply:Reply-Message)  = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)       ... skipping else for request 0: Preceding "if" was taken
Wed Nov 26 09:50:53 2014 : Debug: (0)     } # policy remove_reply_message_if_eap = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)   } # Post-Auth-Type REJECT = updated
Wed Nov 26 09:50:53 2014 : Debug: (0) Delaying response for 1.000000 seconds

FR 3.0.4

Wed Nov 26 09:52:08 2014 : Info: Ready to process requests
Received Access-Request Id 0 from 192.168.178.129:51714 to 192.168.177.136:1812 length 163
Wed Nov 26 09:52:53 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 09:52:53 2014 : Debug: Thread 4 got semaphore
Wed Nov 26 09:52:53 2014 : Debug: Thread 4 handling request 0, (1 handled so far)
        User-Name = 'anonymous@uni-wuppertal.de'
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = '70-6F-6C-69-73-68'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'rad_eap_test + eapol_test'
        EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
        Message-Authenticator = 0x4e54347a783d6c28c8d31bc4aa899626
Wed Nov 26 09:52:53 2014 : Debug: (0) Received Access-Request packet from host 192.168.178.129 port 51714, id=0, length=163
Wed Nov 26 09:52:53 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 09:52:53 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 09:52:53 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 09:52:53 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 09:52:53 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 09:52:53 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 09:52:53 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 09:52:53 2014 : Debug: (0)   Message-Authenticator = 0x4e54347a783d6c28c8d31bc4aa899626
Wed Nov 26 09:52:53 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:52:53 2014 : Debug: (0)   authorize {
Wed Nov 26 09:52:53 2014 : Debug: (0)   filter_username filter_username {
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (!User-Name)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (!User-Name)  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ / /)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ / /)  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@.*@/ )
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.\\./ )
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
Wed Nov 26 09:52:53 2014 : Debug: (0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.$/)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.$/)   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@\\./)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@\\./)   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)   } # filter_username filter_username = notfound
Wed Nov 26 09:52:53 2014 : Debug: (0)    if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) )
Wed Nov 26 09:52:53 2014 : Debug: Waking up in 0.3 seconds.
Wed Nov 26 09:52:53 2014 : Debug: (0)    if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [preprocess] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling suffix (rlm_realm) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Checking for suffix after "@"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Looking up realm "uni-wuppertal.de" for User-Name = "anonymous@uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Found realm "uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Adding Stripped-User-Name = "anonymous"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Adding Realm = "uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Authentication realm is LOCAL
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [suffix] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Peer sent code Response (2) ID 0 length 31
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [eap] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  } #  authorize = ok
Wed Nov 26 09:52:53 2014 : Debug: (0) Found Auth-Type = EAP
Wed Nov 26 09:52:53 2014 : Debug: (0) # Executing group from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:52:53 2014 : Debug: (0)   authenticate {
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authenticate]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Peer sent method Identity (1)
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Calling eap_peap to process EAP data
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap_peap : Initiate
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap_peap : Start returned 1
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : New EAP session, adding 'State' attribute to reply 0x9b2443009b255a41
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [eap] = handled
Wed Nov 26 09:52:53 2014 : Debug: (0)  } #  authenticate = handled
Wed Nov 26 09:52:53 2014 : Debug: (0) Sending Access-Challenge packet to host 192.168.178.129 port 51714, id=0, length=0
Wed Nov 26 09:52:53 2014 : Debug: (0)   EAP-Message = 0x010100061920
Wed Nov 26 09:52:53 2014 : Debug: (0)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Nov 26 09:52:53 2014 : Debug: (0)   State = 0x9b2443009b255a41bdb1f7a3bb1f944f
alandekok added a commit that referenced this issue Nov 26, 2014
@alandekok
Fix bug when using "correct_escapes=no". Closes #842
b119f28
@Schnappatmer
Copy link
Author

I still have a problem with this:

        if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) ) {
                reject
        }

With user name "anonymous@uni-wuppertal.de" it should be false.

Wed Nov 26 20:55:45 2014 : Info: Ready to process requests
Wed Nov 26 20:56:17 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 20:56:17 2014 : Debug: Waking up in 0.3 seconds.
Wed Nov 26 20:56:17 2014 : Debug: Thread 2 got semaphore
Wed Nov 26 20:56:17 2014 : Debug: Thread 2 handling request 0, (1 handled so far)
Wed Nov 26 20:56:17 2014 : Debug: (0) Received Access-Request Id 0 from 192.168.178.129:53519 to 192.168.177.134:1812 length 163
Wed Nov 26 20:56:17 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 20:56:17 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 20:56:17 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 20:56:17 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 20:56:17 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 20:56:17 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 20:56:17 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 20:56:17 2014 : Debug: (0)   Message-Authenticator = 0x7e954304a88c37e20ab3c6c5492bbe41
Wed Nov 26 20:56:17 2014 : Debug: (0) session-state: No State attribute
Wed Nov 26 20:56:17 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 20:56:17 2014 : Debug: (0)   authorize {
Wed Nov 26 20:56:17 2014 : Debug: (0)     policy filter_username {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (!User-Name) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (!User-Name)  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ / /) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ / /)  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@.*@/ ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.$/)  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.$/)   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@\\./)  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@\\./)   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)     } # policy filter_username = notfound
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  -> TRUE
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       modsingle[authorize]: calling reject (rlm_always) for request 0
Wed Nov 26 20:56:17 2014 : Debug: (0)       modsingle[authorize]: returned from reject (rlm_always) for request 0
Wed Nov 26 20:56:17 2014 : Debug: (0)       [reject] = reject
Wed Nov 26 20:56:17 2014 : Debug: (0)     } # if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  = reject
Wed Nov 26 20:56:17 2014 : Debug: (0)   } # authorize = reject
Wed Nov 26 20:56:17 2014 : Auth: (0) Invalid user: [anonymous@uni-wuppertal.de] (from client Alcatraz port 0 cli 70-6F-6C-69-73-68)

@arr2036
Copy link
Member

arr2036 commented Nov 26, 2014

output of radiusd -vxx please

@arr2036
Copy link
Member

arr2036 commented Nov 26, 2014

Actually no need, I can reproduce it. I'll let @alandekok figure out the fix :)

alandekok added a commit that referenced this issue Nov 26, 2014
@alandekok
Skip both characters, not just the escape. Closes #842
5cf4c50
alandekok added a commit that referenced this issue Nov 26, 2014
@alandekok
Skip both characters, not just the escape. Closes #842
ff80f74
@Schnappatmer
Copy link
Author

I works! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arr2036 @Schnappatmer