EAP Outer and Inner Tunnel Behaviour Discussion

Jacky Chan jackyc at wkg1.umac.mo
Tue Apr 7 06:54:55 CEST 2009



tnt-4 wrote:
> 
>>We are going to proxy EAP to another site with all freeradius (we are
using
>>2.1.4, another site using 1.x), but there are some interest problems
>>occurred, details are as follows:
>>
>>Our site only accept non @domain format for inner EAP tunnel
>>authentication since user DB only store user name without suffix, (as I
>>previous post, replier said that cannot change the EAP user name by
terminal
>>home server even using unlang or strip on proxy.conf, so I give up to
>>chanage the inner EAP user name in our terminal home radius). 
>>
>>But the administrator of another site which connect with us said that
their
>>user name store in file/DB also non suffix but can using @domain to pass
>>the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how
>>and why, but after testing, I can using anonymous at aaa.net as user name of
>>outer EAP tunnel and user1 at aaa.net as user name of inner EAP tunnel to
pass
>>the authentication,
> 
> That's fine.
> 
>>and then I try to remove the suffix from inner EAP user
>>name or change the outer user name in client EAP supplicant
> 
> And why would you want to do a thing like that? Just leave it alone.
> 
> 

No, I just want to let our user using an anonymous account as the outer user
name for authentication to improve the security, and using the true account
for inner tunnel.


tnt-4 wrote:
> 
> 
>>(in our site
>>change outer user name is accept, you can use any outer user name since
>>proxy server only care suffix) , it get fail, so do you think that how
about
>>the user name actually store in another site DB, is it without suffix or
>>with it? But if it is all without suffix, why I cannot login with non
suffix
>>user name of inner EAP tunnel? 
> 
> Why do you care what is stored on their database? It's none of your
> concern. You just proxy unaltered usernames to them.
> 
> 

Because the administrator said that their user name all without suffix, so I
want to setup a similar home radius to do the authentication without suffix
user name (testing 3 show as below). but I got fail since if all accounts
stored in file/DB without suffix just like user1, I can not pass the
authentication with user1 at aaa.net in inner tunnel because I don't know (or
it is impossible) how to remove the suffix before do the authentication. I
guess may be they also stored with suffix user name in their DB/File


tnt-4 wrote:
> 
> 
>>
>>And how can remove the suffix in inner EAP tunnel while authentication? 
> 
> By using suffix module in freeradius (enabled by default). You just
> configure aaa.net as a local realm in proxy.conf.
> 

You means that add a realm in proxy.conf of PROXY server OR in home terminal
radius server?
as following configuration, it seems should be apply on home radius server,
right?
realm aaa.net {
      auth_pool = localhost
      # nostrip  (enable or not?)
}

The following is the result by my testing for outer tunnel and inner tunnel
authentication with my proxy and home radius server, I'm using
SecureW2_EAP_Suite_113 with PEAP/MSChapV2:

(1)
user name which stored in home radius file:  user2 at aaa.net
outer tunnel name: anybody at aaa.net OR @aaa.net OR anonymous at aaa.net
Inner tunnel name: user2 at aaa.net
result: passed

(2)
user name which stored in home radius file:  user2 at aaa.net
outer tunnel name: anybody at aaa.net OR @aaa.net OR anonymous at aaa.net
Inner tunnel name: user2
result: failed

(3)
user name which stored in home radius file:  user2
outer tunnel name: anybody at aaa.net OR @aaa.net OR anonymous at aaa.net
Inner tunnel name: user2 at aaa.net
result: failed

(4)
user name which stored in home radius file:  user2
outer tunnel name: anybody at aaa.net OR @aaa.net OR anonymous at aaa.net
Inner tunnel name: user2
result: passed

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-- 
View this message in context: http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp22901750p22922187.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list