EAP anonymous and inner User-name

Stefan Winter stefan.winter at restena.lu
Fri Nov 17 17:25:14 CET 2006 

Hi Florian,

> > If you already successfully used outer = inner identity and it worked,
> > you don't need to change anything. the eap module doesn't care about the
> > User-Name of the outer request, just try it out.
>
> Hm, but I want to use "anonymus" as the outer username ( for eap) and
> my real username for the authentication/authorization.

as I told you before: you need to do *nothing*. There is no need for a users 
file entry for the name anonymous. Forget about it.

> > The inner request will magically show up after the tunnel has been
> > decoded. It is a new request, and will have its own User-Name attribute.
>
> Hm, for me it does not work,

That may be, but then your problem is not related to a missing users entry for 
the outer request, but something completely different.

> my settings:
>
> users-file:
> #WLAN-anonymus:
> DEFAULT User-Name=~"^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]$",
> Huntgroup-Name == WLAN
>         Auth-Type:=EAP

Delete those lines. They are superfluous (though they dont seem to do any 
harm, unless one of your real user names would match the regex. In this case, 
this line would actually *break* things).

>
> # Default-Wlan
> DEFAULT Auth-Type = pap, Huntgroup-Name == WLAN

And this one is wrong, very wrong. Setting Auth-Type to pap (PAP?) is neither 
necessary nor does it make things better. Delete it as well.

>
> my log:
> rad_recv: Access-Request packet from host 131.188.4.190:20003, id=173,
> length=148
>         NAS-Port-Id = "2059/1"
>         Calling-Station-Id = "00-12-17-78-DD-58"
>         Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
>         Service-Type = Framed-User
>         EAP-Message = 0x0
>         User-Name = "anonymous"
>         NAS-Port-Type = Wireless-802.11
>         NAS-Identifier = "Trapeze"
>         NAS-IP-Address = 131.188.4.190
>         Message-Authenticator = 0x4
> Fri Nov 17 12:03:14 2006 : Debug:   Processing the authorize section of
> radiusd.conf
> Fri Nov 17 12:03:14 2006 : Debug: modcall: entering group authorize for
> request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> preprocess (rlm_preprocess) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module
> "preprocess" returns ok for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling
> auth_log (rlm_detail) for request 0
> Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:
> '/var/log/radius/radacct/131.188.4.190/auth-detail-20061117'
> Fri Nov 17 12:03:14 2006 : Debug: rlm_detail:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
> to /var /log/radius/radacct/131.188.4.190/auth-detail-20061117
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> auth_log (rlm_detail) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module
> "auth_log" returns ok for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling chap
> (rlm_chap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> chap (rlm_chap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "chap"
> returns noop for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling mschap
> (rlm_mschap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> mschap (rlm_mschap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "mschap"
> returns noop for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   rlm_eap: EAP packet type response id
> 1 length 14
> Fri Nov 17 12:03:14 2006 : Debug:   rlm_eap: No EAP Start, assuming it's
> an on-going EAP conversation
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> eap (rlm_eap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "eap"
> returns updated for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling files
> (rlm_files) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:     users: Matched entry DEFAULT at
> line 157
> Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:  'anonymous'
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from
> files (rlm_files) for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "files"
> returns ok for request 0
> Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling ldap
> (rlm_ldap) for request 0
> Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: - authorize
> Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: performing user
> authorization for anonymous

Seems like the order in which the various modules get called is wrong. eap 
(and realm instances like suffix, if you use that) should be before ldap, is 
this the case? Posting the authorize {} and authenticate {} stanzas would 
certainly help.

And, lastly, did you set copy_request_to_tunnel in eap.conf? Don't, because 
then your real inner user name gets overwritten by the outer one.

Greetings,

Stefan Winter

-- 
-= visit http://www.webjumping.com =-
This mail is guaranteed to be virus free because it was sent from a computer 
running Linux.

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list