FreeRADIUS change user domain
Question
I've been working on a project at work to configure FreeRADIUS with Google Authenticator for two-factor authentication purposes.
I've used this guide .
Everything's working well and I've even written scripts to generate and e-mail the QR codes to users but there's one last hurdle I'd like to overcome.
For example:
Say our AD domain is my.domain.com and I authenticate against FreeRADIUS with the username user@my.domain.com everything works fine. The problem is that our RAS solution sometimes doesn't always send the full domain to FreeRADIUS. In the logs I'd see the username as user@my (Pre-2000 domain name). Naturally this fails.
What I'm trying to achieve is to get FreeRADIUS to catch this and replace @my with @my.domain.com .
The other option is to re-configure all the RAS clients and since these are almost all used remote this would be impractical.
I'm sure FreeRADIUS can do it, can someone help me?
1 answers
solution1
0 ACCPTED 2017-11-14 14:57:00
OK, got it.
Just in case anyone else needs to know here's what I did.
I added the following to /etc/raddb/hints (may vary by distro but I'm on CentOS 7)
DEFAULT Suffix == "@my", Strip-User-Name = No
User-Name := "%{User-Name}.domain.com"
DEFAULT User-Name !~ ".*@"
User-Name := "%{User-Name}@my.domain.com"
The first entry looks to see if the suffix is JUST @my and adds .domain.com to the username if it is.
The second entry checks to see if an @ is present and if not adds @my.domain.com to the username. This turned out to be an additional requirement not mentioned above.
Hope it's useful to someone. Works like a charm now.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.