EAP/TTLS on LDAP with freeradius 2.0.1

Thierry CHICH thierry.chich at ac-clermont.fr
Wed Feb 6 16:53:05 CET 2008


Le mercredi 06 février 2008, Alan DeKok a écrit :
> Thierry CHICH wrote:
> > With the previous release of freeradius 1.1.7, I could do the following
> > things:
> > - people with a correct outer identity and inner identity
> > (login/password) could be authorized and authenticate on a LDAP server,
> > using an EAP-TTLS tunnel, obtained a WPA key.
> > - with the same radius server, I could authenticate people with EAP-PEAP
> > and mschapv2 on a sql database.
>
>   2.0.1 can do this, too.

I didn't really think it can't do that.

> > It was nice, but I had a small problem: accounting was done  using the
> > outer identity. Since I was using the ldap to do the authorization,
> > people who put an other valid identity didn't be correctly accounted.
>
>   In 2.0.1, see raddb/sites-available/inner-tunnel for comments &&
> configuration to fix this.  Or, the other reply to your message.
>
> > I always finished by :
> > rlm_eap_ttls: Session established.  Proceeding to decode tunneled
> > attributes. auth: No authenticate method (Auth-Type) configuration found
> > for the request: Rejecting the user
>
>   The most common cause for this is that you massively edited the
> configuration file without understanding what it was doing.  The simple
> answer is DON'T DO THAT.

I understand that very well. I  think that the "massively" is perhaps a little 
bit exageratted, but I have make a really stupid mistake. I have located it 
using kdiff3 (thanks to the developper, it is a great tool).

It is working better now that I really use inner-tunnel, and not believe that 
I use it..... Thanks to you.

However, it the accounting is always done with the outer identity, even 
putting the:
	update outer.reply {
		User-Name = "%{request.User-Name}"
	}
in the post-auth of inner-tunnel. 
The 
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
         User-Name := `%{User-Name}`,
         Fall-Through = yes
in the users conf file doesn't work better.

I got: 

Login OK: [thierry.chich at ac-clermont.fr/xxxxxxxx] (from client ap-rectorat02 
port 0)
+- entering group post-auth
        expand: %{request.User-Name} ->
++[outer.reply] returns noop
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [anonymous at ac-clermont.fr\000/<via Auth-Type = EAP>] (from client 
ap-rectorat02 port 1 cli 00-0E-35-71-04-0C)
Sending Access-Accept of id 27 to 172.30.87.66 port 4347
        User-Name = ""
        MS-MPPE-Recv-Key = 
0xec76f1095e9ec08db58453397df1c7f6a38acc1bada412e45a538ff6da6b60a5
        MS-MPPE-Send-Key = 
0xb66e7bc27988a1d193f3cdb520c29a8c4fd6c75b4b5e0b4aaf8da3bda7bff2e6
        EAP-Message = 0x031b0004
        Message-Authenticator = 0x00000000000000000000000000000000


Do you know why User-Name is empty ?






More information about the Freeradius-Users mailing list