Created attachment 9279 [details] mschap.log UCS@school 4.1 R2 v13 / paedML 7 Unfortunately the ucs-school-ntlm-auth is case sensitive for wlan access for hostnames. The customer reported the issue and we reproduced the bug for following use cases: Case 1: 1. Create machine account "C06laptpo" 2. Joined the windows client Case 2: 1. Joined the windows client "c06laptpo" 2. Machine account "C06LAPTPO" will be automatically created For both machine accounts the wlan access failed because the windows clients send "host/c06laptpo.paedml-linux.lokal" and ucs-school-ntlm-auth-script failed with "user not found in any relevant group - access denied". Log attached. But both machine accounts had all necessary WLAN-Requirements according to https://www.univention.de/2017/10/wlan-fuer-schultraeger-byod-gyod/ 3.1 Internet rule with wlan=true 3.2 Created class 3.3 Added machine account to class 3.4 Assigned internet rule to class Using c06laptpo worked like a charm! Case 1: 1. Create machine account "c06laptpo" 2. Joined the windows client The problem seems in loadInfo() during parsing of group membership.
Reported again by same customer with additional information where the behavior depends on the version of Windows for authentication with Radius: - Windows 10 client sends the Hostname as given in UMC, what is accepted - Windows 7 client send the Hostname transfered into uppercase, independent as given in the UMC, which results in authentication problem with Radius The current workflow is to create a computer object in lowercase. But if problems with radius occur it will help remove and recreate the computer object in uppercase. But this workaround is a bit uncomfortable. A permanent solution could be, that the testing for Hostname will succeed regardless of the spelling in upper/lowercase. → Increase type and affects by this bug
Created attachment 9491 [details] Perl script to convert usernames to lowercase Perl script which runs prior ldap check to convert usernames to lowercase
A customer sent us a Perl script which runs before the ldap check occurs and converts the username to lowercase. Perhaps it would be possible to create another script for hostnames that works the same way.
An internal comparison when assigning user/host names to WLAN groups was case-sensitive, which meant that access to the WLAN was not granted if the user/host name was spelled incorrectly. The existing test cases 72_radius_authentication and 72_radius_machine_authentication have been extended and are now checking with given username, lowercase username, uppercase username and random case username. 47253808 Bug #45684: Merge branch 'sschwardt/45684/42/radius_hostnames' into 4.2 d0c8b5e3 Bug #45684/#46806: add changelog entry 6ec5af72 Bug #45684/#46806: check if radius authentication also works with camel case usernames/hostnames 7b48b805 Bug #45684/#46806: add advisory 5a5e4c59 Bug #45684/#46806: add changelog entry 84dbf996 Bug #45684/#46806: remove case-sensitivity of hostnames/usernames in ucs-school-ntlm-auth Package: ucs-school-radius-802.1x Version: 6.0.1-5A~4.2.0.201804111403 Branch: ucs_4.2-0 Scope: ucs-school-4.2 Package: ucs-test-ucsschool Version: 4.0.4-83A~4.2.0.201804111425 Branch: ucs_4.2-0 Scope: ucs-school-4.2
The radius identity is not case sensitive anymore -> OK YAML change: [4.2 17b117ce] Bug #45684: YAML -> Verified
UCS@school 4.2 v9 has been released. https://docs.software-univention.de/changelog-ucsschool-4.2v9-de.html If this error occurs again, please clone this bug.