FR 3.0.5: filter_username filter_username Rejected: Realm does not have at least one dot separator #842

Closed
Schnappatmer opened this Issue Nov 26, 2014 · 4 comments

Projects

None yet

2 participants

@Schnappatmer

I just upgradet to version 3.0.5

I got the error message with username e.g. "anonymous@uni-wuppertal.de"

Rejected: Realm does not have at least one dot separator.

FR Version 3.0.4 works flawless (output at the end)

FR 3.0.5

Wed Nov 26 09:50:16 2014 : Info: Ready to process requests
Wed Nov 26 09:50:53 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 09:50:53 2014 : Debug: Thread 1 got semaphore
Wed Nov 26 09:50:53 2014 : Debug: Thread 1 handling request 0, (1 handled so far)
Wed Nov 26 09:50:53 2014 : Debug: (0) Received Access-Request Id 0 from 192.168.178.129:54873 to 192.168.177.136:1812 length 163
Wed Nov 26 09:50:53 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 09:50:53 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 09:50:53 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 09:50:53 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 09:50:53 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 09:50:53 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 09:50:53 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 09:50:53 2014 : Debug: (0)   Message-Authenticator = 0xedb6f3e146253542d68a616515324363
Wed Nov 26 09:50:53 2014 : Debug: (0) session-state: No State attribute
Wed Nov 26 09:50:53 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:50:53 2014 : Debug: (0)   authorize {
Wed Nov 26 09:50:53 2014 : Debug: (0)     policy filter_username {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (!User-Name) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (!User-Name)  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ / /) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ / /)  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /@.*@/ ) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ ) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> TRUE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   {
Wed Nov 26 09:50:53 2014 : Debug: (0)         update reply {
Wed Nov 26 09:50:53 2014 : Debug: (0)           Reply-Message += 'Rejected: Realm does not have at least one dot separator'
Wed Nov 26 09:50:53 2014 : Debug: (0)         } # update reply = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)         modsingle[authorize]: calling reject (rlm_always) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)         modsingle[authorize]: returned from reject (rlm_always) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)         [reject] = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)       } # if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)     } # policy filter_username = reject
Wed Nov 26 09:50:53 2014 : Debug: (0)   } # authorize = reject
Wed Nov 26 09:50:53 2014 : Auth: (0) Invalid user: [anonymous@uni-wuppertal.de] (from client Alcatraz port 0 cli 70-6F-6C-69-73-68)
Wed Nov 26 09:50:53 2014 : Debug: (0) Using Post-Auth-Type Reject
Wed Nov 26 09:50:53 2014 : Debug: (0) # Executing group from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:50:53 2014 : Debug: (0)   Post-Auth-Type REJECT {
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: calling attr_filter.access_reject (rlm_attr_filter) for request 0
Wed Nov 26 09:50:53 2014 : Debug: %{User-Name}
Wed Nov 26 09:50:53 2014 : Debug: Parsed xlat tree:
Wed Nov 26 09:50:53 2014 : Debug: attribute --> User-Name
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: EXPAND %{User-Name}
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject:    --> anonymous@uni-wuppertal.de
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Reply-Message += 'Rejected: Realm does not have at least one dot separator' allowed by Reply-Message =* ''
Wed Nov 26 09:50:53 2014 : Debug: (0) attr_filter.access_reject: Attribute "Reply-Message" allowed by 1 rules, disallowed by 0 rules
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: returned from attr_filter.access_reject (rlm_attr_filter) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)     [attr_filter.access_reject] = updated
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0) eap: Request was previously rejected, inserting EAP-Failure
Wed Nov 26 09:50:53 2014 : Debug: (0)     modsingle[post-auth]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:50:53 2014 : Debug: (0)     [eap] = updated
Wed Nov 26 09:50:53 2014 : Debug: (0)     policy remove_reply_message_if_eap {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message) {
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message)  -> TRUE
Wed Nov 26 09:50:53 2014 : Debug: (0)       if (reply:EAP-Message && reply:Reply-Message)  {
Wed Nov 26 09:50:53 2014 : Debug: (0)         update reply {
Wed Nov 26 09:50:53 2014 : Debug: (0)           Reply-Message !* ANY
Wed Nov 26 09:50:53 2014 : Debug: (0)         } # update reply = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)       } # if (reply:EAP-Message && reply:Reply-Message)  = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)       ... skipping else for request 0: Preceding "if" was taken
Wed Nov 26 09:50:53 2014 : Debug: (0)     } # policy remove_reply_message_if_eap = noop
Wed Nov 26 09:50:53 2014 : Debug: (0)   } # Post-Auth-Type REJECT = updated
Wed Nov 26 09:50:53 2014 : Debug: (0) Delaying response for 1.000000 seconds

FR 3.0.4

Wed Nov 26 09:52:08 2014 : Info: Ready to process requests
Received Access-Request Id 0 from 192.168.178.129:51714 to 192.168.177.136:1812 length 163
Wed Nov 26 09:52:53 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 09:52:53 2014 : Debug: Thread 4 got semaphore
Wed Nov 26 09:52:53 2014 : Debug: Thread 4 handling request 0, (1 handled so far)
        User-Name = 'anonymous@uni-wuppertal.de'
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = '70-6F-6C-69-73-68'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'rad_eap_test + eapol_test'
        EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
        Message-Authenticator = 0x4e54347a783d6c28c8d31bc4aa899626
Wed Nov 26 09:52:53 2014 : Debug: (0) Received Access-Request packet from host 192.168.178.129 port 51714, id=0, length=163
Wed Nov 26 09:52:53 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 09:52:53 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 09:52:53 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 09:52:53 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 09:52:53 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 09:52:53 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 09:52:53 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 09:52:53 2014 : Debug: (0)   Message-Authenticator = 0x4e54347a783d6c28c8d31bc4aa899626
Wed Nov 26 09:52:53 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:52:53 2014 : Debug: (0)   authorize {
Wed Nov 26 09:52:53 2014 : Debug: (0)   filter_username filter_username {
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (!User-Name)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (!User-Name)  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ / /)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ / /)  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@.*@/ )
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.\\./ )
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
Wed Nov 26 09:52:53 2014 : Debug: (0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.$/)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /\\.$/)   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@\\./)
Wed Nov 26 09:52:53 2014 : Debug: (0)     if (User-Name =~ /@\\./)   -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)   } # filter_username filter_username = notfound
Wed Nov 26 09:52:53 2014 : Debug: (0)    if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) )
Wed Nov 26 09:52:53 2014 : Debug: Waking up in 0.3 seconds.
Wed Nov 26 09:52:53 2014 : Debug: (0)    if ( User-Name && ( User-Name !~ /^([a-z0-9._-]+)@([a-z0-9._-]+)[.]([a-z]{2,4})$/i ) || ( User-Name =~ /@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i ) )  -> FALSE
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [preprocess] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling suffix (rlm_realm) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Checking for suffix after "@"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Looking up realm "uni-wuppertal.de" for User-Name = "anonymous@uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Found realm "uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Adding Stripped-User-Name = "anonymous"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Adding Realm = "uni-wuppertal.de"
Wed Nov 26 09:52:53 2014 : Debug: (0)  suffix : Authentication realm is LOCAL
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from suffix (rlm_realm) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [suffix] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authorize]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Peer sent code Response (2) ID 0 length 31
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authorize]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [eap] = ok
Wed Nov 26 09:52:53 2014 : Debug: (0)  } #  authorize = ok
Wed Nov 26 09:52:53 2014 : Debug: (0) Found Auth-Type = EAP
Wed Nov 26 09:52:53 2014 : Debug: (0) # Executing group from file /etc/freeradius/sites-enabled/default
Wed Nov 26 09:52:53 2014 : Debug: (0)   authenticate {
Wed Nov 26 09:52:53 2014 : Debug: (0)  modsingle[authenticate]: calling eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Peer sent method Identity (1)
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : Calling eap_peap to process EAP data
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap_peap : Initiate
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap_peap : Start returned 1
Wed Nov 26 09:52:53 2014 : Debug: (0)  eap : New EAP session, adding 'State' attribute to reply 0x9b2443009b255a41
Wed Nov 26 09:52:53 2014 : Debug: (0) modsingle[authenticate]: returned from eap (rlm_eap) for request 0
Wed Nov 26 09:52:53 2014 : Debug: (0)   [eap] = handled
Wed Nov 26 09:52:53 2014 : Debug: (0)  } #  authenticate = handled
Wed Nov 26 09:52:53 2014 : Debug: (0) Sending Access-Challenge packet to host 192.168.178.129 port 51714, id=0, length=0
Wed Nov 26 09:52:53 2014 : Debug: (0)   EAP-Message = 0x010100061920
Wed Nov 26 09:52:53 2014 : Debug: (0)   Message-Authenticator = 0x00000000000000000000000000000000
Wed Nov 26 09:52:53 2014 : Debug: (0)   State = 0x9b2443009b255a41bdb1f7a3bb1f944f
@alandekok alandekok closed this in a0e0597 Nov 26, 2014
@Schnappatmer

I still have a problem with this:

        if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) ) {
                reject
        }

With user name "anonymous@uni-wuppertal.de" it should be false.

Wed Nov 26 20:55:45 2014 : Info: Ready to process requests
Wed Nov 26 20:56:17 2014 : Debug: Threads: total/active/spare threads = 5/0/5
Wed Nov 26 20:56:17 2014 : Debug: Waking up in 0.3 seconds.
Wed Nov 26 20:56:17 2014 : Debug: Thread 2 got semaphore
Wed Nov 26 20:56:17 2014 : Debug: Thread 2 handling request 0, (1 handled so far)
Wed Nov 26 20:56:17 2014 : Debug: (0) Received Access-Request Id 0 from 192.168.178.129:53519 to 192.168.177.134:1812 length 163
Wed Nov 26 20:56:17 2014 : Debug: (0)   User-Name = 'anonymous@uni-wuppertal.de'
Wed Nov 26 20:56:17 2014 : Debug: (0)   NAS-IP-Address = 127.0.0.1
Wed Nov 26 20:56:17 2014 : Debug: (0)   Calling-Station-Id = '70-6F-6C-69-73-68'
Wed Nov 26 20:56:17 2014 : Debug: (0)   Framed-MTU = 1400
Wed Nov 26 20:56:17 2014 : Debug: (0)   NAS-Port-Type = Wireless-802.11
Wed Nov 26 20:56:17 2014 : Debug: (0)   Connect-Info = 'rad_eap_test + eapol_test'
Wed Nov 26 20:56:17 2014 : Debug: (0)   EAP-Message = 0x0200001f01616e6f6e796d6f757340756e692d77757070657274616c2e6465
Wed Nov 26 20:56:17 2014 : Debug: (0)   Message-Authenticator = 0x7e954304a88c37e20ab3c6c5492bbe41
Wed Nov 26 20:56:17 2014 : Debug: (0) session-state: No State attribute
Wed Nov 26 20:56:17 2014 : Debug: (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
Wed Nov 26 20:56:17 2014 : Debug: (0)   authorize {
Wed Nov 26 20:56:17 2014 : Debug: (0)     policy filter_username {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (!User-Name) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (!User-Name)  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ / /) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ / /)  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@.*@/ ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@.*@/ )  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.\\./ )  -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.$/)  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /\\.$/)   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@\\./)  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       if (User-Name =~ /@\\./)   -> FALSE
Wed Nov 26 20:56:17 2014 : Debug: (0)     } # policy filter_username = notfound
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) ) {
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  -> TRUE
Wed Nov 26 20:56:17 2014 : Debug: (0)     if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  {
Wed Nov 26 20:56:17 2014 : Debug: (0)       modsingle[authorize]: calling reject (rlm_always) for request 0
Wed Nov 26 20:56:17 2014 : Debug: (0)       modsingle[authorize]: returned from reject (rlm_always) for request 0
Wed Nov 26 20:56:17 2014 : Debug: (0)       [reject] = reject
Wed Nov 26 20:56:17 2014 : Debug: (0)     } # if ( User-Name && ( User-Name !~ /^[a-z0-9-]{3,20}(()|(@uni-wuppertal\.de))$/i ) )  = reject
Wed Nov 26 20:56:17 2014 : Debug: (0)   } # authorize = reject
Wed Nov 26 20:56:17 2014 : Auth: (0) Invalid user: [anonymous@uni-wuppertal.de] (from client Alcatraz port 0 cli 70-6F-6C-69-73-68)

@arr2036
Member
arr2036 commented Nov 26, 2014

output of radiusd -vxx please

@arr2036
Member
arr2036 commented Nov 26, 2014

Actually no need, I can reproduce it. I'll let @alandekok figure out the fix :)

@Schnappatmer

I works! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment