YfiTechNoRealm

Background

• A few people asked about the possibilities to have a username without a realm.
• There are a few ways to make this work with the current YFi Hotspot Manager.
• This page will start discussing one such a way

Changing FreeRADIUS to accept usernames without a realm

• For this the user will supply their username without the realm to the loginpage of a captive portal for instance.
• The captive portal will send this credentials through to the FreeRADIUS server but the FreeRADIUS server will add the realm to the username if found.
• The accounting data will also be changed before it is committed to the database.
• NOTE & WARNING: You will probably also have to modify the code that kicks off the users since FreeRADIUS is under the impression the user is dvdwalt@ri where the captive portal assumes the user is dvdwalt!!

Define a custom attribute to FreeRADIUS

• Edit the /usr/local/etc/raddb/dictionary file and add the following:

     ATTRIBUTE       Temp-User-Name          3000    string
  

• This will create a temporary variable which we can use to store the SQL query results in

Modify the default FreeRADIUS virtual server

• Add the following to the authorization section of /usr/local/etc/raddb/sites-enabled/default (below the unix entry)

  unix
  
  #----- YFi Experiment Get the username and realm for a username without a realm ----
  #NOTE: "update" sections should change the return code only when something goes wrong
  #Thus the  last module returned notfound thats why we got notfound
  if("%{request:User-Name}"){
      update control {
          Temp-User-Name := "%{sql:SELECT username FROM radcheck  WHERE username REGEXP '^%{request:User-Name}@' LIMIT 1}"
      }
      if("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i){
          update request {
              User-Name := "%{control:Temp-User-Name}"
          }
      }
  }
  #------------------------------------------------------------------------------------
  

• Add the following to the preacct section of

  #
  #  Read the 'acct_users' file
  ##files
  #----- YFi Experiment Get the username and realm for a username without a realm ----
  #NOTE: "update" sections should change the return code only when something goes wrong
  #Thus the  last module returned notfound thats why we got notfound
  if("%{request:User-Name}"){
      update control {
          Temp-User-Name := "%{sql:SELECT username FROM radcheck  WHERE username REGEXP '^%{request:User-Name}@' LIMIT 1}"
      }
      if("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i){
          update request {
              User-Name := "%{control:Temp-User-Name}"
          }
      }
  }
  #------------------------------------------------------------------------------------
  perl
  

---

Testing it out

• Start FreeRADIUS in debug mode and try to authenticate with one of your users not specifying the realm:

  system@yfi-dev:/var/www/c2/yfi_cake/webroot/files$ perl radscenario.pl dvdwalt dvdwalt@ri
  

• Here's the feedback of the request:

  ++[unix] returns notfound
  ++? if ("%{request:User-Name}")
      expand: %{request:User-Name} -> dvdwalt
  ? Evaluating ("%{request:User-Name}") -> TRUE
  ++? if ("%{request:User-Name}") -> TRUE
  ++- entering if ("%{request:User-Name}") {...}
  sql_xlat
      expand: %{User-Name} -> dvdwalt
  sql_set_user escaped user --> 'dvdwalt'
      expand: SELECT username FROM radcheck  WHERE username REGEXP '^%{request:User-Name}@' LIMIT 1 -> SELECT username FROM radcheck  WHERE username REGEXP '^dvdwalt@' LIMIT 1
  rlm_sql (sql): Reserving sql socket id: 3
  sql_xlat finished
  rlm_sql (sql): Released sql socket id: 3
      expand: %{sql:SELECT username FROM radcheck  WHERE username REGEXP '^%{request:User-Name}@' LIMIT 1} -> dvdwalt@ri
  +++[control] returns notfound
  +++? if ("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i)
      expand: %{control:Temp-User-Name} -> dvdwalt@ri
      expand: ^%{request:User-Name}.* -> ^dvdwalt.*
  ? Evaluating ("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i) -> TRUE
  +++? if ("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i) -> TRUE
  +++- entering if ("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i) {...}
      expand: %{control:Temp-User-Name} -> dvdwalt@ri
  ++++[request] returns notfound
  +++- if ("%{control:Temp-User-Name}" =~ /^%{request:User-Name}.*/i) returns notfound
  ++- if ("%{request:User-Name}") returns notfound
  ++[files] returns noop