inner vs outer User-Name

Kenneth Grady klg at lanl.gov
Mon Feb 8 23:12:36 CET 2010


Is there any way to authorize a user using the inner-tunnel User-Name 
and not the outer?

I get an outer User-Name of anonymous and a reject when searching for 
authorized users in an ldap group.
If they convolute the configuration for the device with an outer 
User-Name of a person in the ldap group, it authorizes them, and they 
can authenticate using Kerberos.

Mon Feb  8 12:53:21 2010
        Packet-Type = Access-Request
        User-Name = "anonymous"
...
Mon Feb  8 12:53:21 2010
        Packet-Type = Access-Accept
        Reply-Message = "case WAREHOUSE"
        Reply-Message = "not authorized for mygroup"
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "duser"
...

Mon Feb  8 14:08:11 2010
        Packet-Type = Access-Request
        User-Name = "duser"
...
Mon Feb  8 14:08:11 2010
        Packet-Type = Access-Accept
        Reply-Message = "case WAREHOUSE"
        Reply-Message = "Warehouse mygroup"
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "duser"

/etc/raddb/sites-available/default
...
                        case "WAREHOUSE" {
                            update reply {
                                reply-message += "case WAREHOUSE"
                            }
                            #EMPLOYEE { # need to use the inner-tunnel 
User-Name
                            #}
                            if ( EMPLOYEE-Ldap-Group == "mygroup" ) {
                                update reply {
                                        reply-message += "Warehouse mygroup"
                                    }
                            }
                            else {
                                update reply {
                                        reply-message += "not authorized 
for mygroup"
                                }
#                                update config {
#                                           Auth-Type := Reject
#                                }
                            }
                        }




More information about the Freeradius-Users mailing list