FreeRADIUS / Active Directory / Computer Authentication

Question

I'm looking for an easy way to turn:

User-Name = "host/DESKTOP-F6E023D.msad.domain.net"

to the following:

Stripped-User-Name := DESKTOP-F6E023D$
realm := msad.domain.net

In my virtual server configuration, I've accomplished this using unlang with the following:

if ( User-Name =~ /^host\/(.*)\.msad\.domain\.net$/i ) {
     update request {
          Stripped-User-Name := "%{1}$"
          realm := "msad.domain.net"        
     }
}

I'm looking to keep my virtual server configuration more generic and handle more than one domain and move that functionality to a module/policy. I've attempted to create a policy but am struggling with the regex to split that string up so I can assign the Stripped-User-Name and realm values. Any assistance would be greatly appreciated.

./policy.d/filter

filter_computer_auth {
        if (&User-Name =~ /^host\/(.+)[\.](.*)$/) {
                update request {
                        &Stripped-User-Name := "%{1}$"
                        &realm := "%{2}"
                }
        }
}

Yields:

Stripped-User-Name := DESKTOP-F6E023D.msad.cnylab$
realm := net

score 1 · Accepted Answer · answered Aug 31 '22 at 22:00

The regex may need to be tweaked for your needs, but you could create a policy file with content like this

my_host_username_regexp = '^host\/([-[:alnum:]]+)(\.([-[:alnum:].]*))*$'

my_split_host_username {
    if (&User-Name && (&User-Name =~ /${policy.my_host_username_regexp}/)) {
        update request {
            &Stripped-User-Name := "%{1}"
        }
        if ("%{3}" != '') {
            update request {
                #&Stripped-User-Domain = "%{3}"
                &realm := "%{3}"
            }
        }
        updated
    }
    else {
        noop
    }
}

I am attempting to duplicate the split_username_nai policy provided by freeradius for consistency.

You can learn more about the regex by testing it at https://regex101.com/

With a very minor change., that was exactly the direction I needed. Had I explored that file earlier I would have saved some frustration. Thank you so much! — another_netadmin, Sep 01 '22 at 01:31

another_netadmin · Answer 2 · 2022-09-01T03:43:29.180

Solution that is working thanks to direction from Andrew. I kept both Stripped-User-Domain and realm in the solution since that is what I was using when I first asked the question. I initially was using realms for determining which mschap/ldap/eap modules to use but now I am using Stripped-User-Domain for that.

ad_computer_username_regexp = '^host\/([-[:alnum:]]+)(\.([-[:alnum:].]*))*$'

ad_computer_username {
    if (&User-Name && (&User-Name =~ /${policy.ad_computer_username_regexp}/)) {
        update request {
            &Stripped-User-Name := "%{1}$"
        }
        if ("%{3}" != '') {
            update request {
                &Stripped-User-Domain = "%{3}"
                &realm := "%{3}"
            }
        }
        updated
    }
    else {
        noop
    }
}

FreeRADIUS / Active Directory / Computer Authentication

2 Answers2