Authentication with Stripped User Name from FreeRADIUS

[Bogdan]

Hello,

So I have a Juniper-FreeRADIUS-LinOTP (with AD users) setup.
I had some troubles authenticating into Juniper with an AD user+pass and a token.
FreeRADIUS would parse and strip the user from the domain when authenticating on Juniper, but LinOTP would still use the initial User-Name (not stripped) in the perl module instead of Stripped-User-Name.

Should FreeRADIUS pass the stripped user name in the field of the user name to the perl module?

From radius_linotp.pm
# Username and password...
if ( exists( $RAD_REQUEST{'User-Name'} ) ) {
$params{"user"} = $RAD_REQUEST{'User-Name'};
}
if ( exists( $RAD_REQUEST{'User-Password'} ) ) {
$params{"pass"} = $RAD_REQUEST{'User-Password'};
}
Ofc authentication fails!

FreeRADIUS log:
Info: [ntdomain] Looking up realm "DOMAIN" for User-Name = "DOMAIN\USER"
Info: [ntdomain] Found realm "DOMAIN"
Info: [ntdomain] Adding Stripped-User-Name = "USER"
Info: [ntdomain] Adding Realm = "DOMAIN"
Info: [ntdomain] Authentication realm is LOCAL.
Info: ++[ntdomain] returns ok

####everything is fine so far

Info: rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
Info: rlm_perl: Default URL https://address/validate/simplecheck
Debug: rlm_perl: RAD_REQUEST: Acct-Session-Id = DOMAIN\\USER(Juniper realm)\"DATE\"VrHn5ruU
Debug: rlm_perl: RAD_REQUEST: NAS-IP-Address = JUNIPER_IP_ADDRESS
Debug: rlm_perl: RAD_REQUEST: NAS-Identifier = juniper_identifier
Debug: rlm_perl: RAD_REQUEST: User-Name = DOMAIN\\USER
Debug: rlm_perl: RAD_REQUEST: Tunnel-Client-Endpoint = IP
Debug: rlm_perl: RAD_REQUEST: NAS-Port = 0
Debug: rlm_perl: RAD_REQUEST: Realm = REALM
Debug: rlm_perl: RAD_REQUEST: Stripped-User-Name = USER
Debug: rlm_perl: RAD_REQUEST: User-Password = token
Info: rlm_perl: Auth-Type: perl
Info: rlm_perl: Url: https://address/validate/simplecheck
Info: rlm_perl: User: DOMAIN\\USER
Debug: rlm_perl: urlparam client = JUNIPER_IP_ADDRESS
Debug: rlm_perl: urlparam pass = token
Debug: rlm_perl: urlparam user = DOMAIN\\USER
Debug: rlm_perl: Content :-(
Info: rlm_perl: return RLM_MODULE_REJECT

I managed to bypass/workaround this by editing the perl module:

if ( exists( $RAD_REQUEST{'User-Name'} ) and exists( $RAD_REQUEST{'Stripped-User-Name'} ) ) {
$params{"user"} = $RAD_REQUEST{'Stripped-User-Name'};
}
if ( exists( $RAD_REQUEST{'User-Password'} ) ) {
$params{"pass"} = $RAD_REQUEST{'User-Password'};
}

I could go for User-Name OR Stripped-User-Name or just the Stripped-User-Name, but the thing is I'm not into perl and I don't know what Radius will pass to LinOTP perl module when we go into other scenarios.

Did anyone had this problem, I did something wrong or how should I do this in a better way?

Thanks,
Bogdan