EAP-TLS User-Name not matching
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Sun Jan 17 21:33:18 CET 2010
Hi,
> First off, forgive me if this has been asked before on this list (I did do a search first, yet no results proved useful).
>
> I am on a fact finding mission to see whether freeradius is going to be feasible to deploy in my environment (~50 users over ~40 windows and linux desktops). On a test network I have configured an Ubuntu 9.10 Server with a patched freeradius that has openssl (oh what fun that was to build).
err, well, in that case the answer is yes. hundreds of Universities across Europe
have installed FreeRADIUS to handle 802.1X authentication wired/wireless of their clients.
at our site alone we have over 3000 clients per day authenticating against FR with
concurrant usage being around 1200 wireless and 500 wired....with the remaining
systems that arent yet configured STILL using FreeRADIUS for captive portal
authentication and VMPS (and MAC auth bypass now). heck...for around 50 machines
you even have the ability to just configure the clients by hand - even us EAP-TLS
whereas for bigger numbers..the issue isnt FR - its the rollout or deployment
of the required configuration
> rad_recv: Access-Request packet from host 192.168.1.1 port 3079, id=0, length=145
> User-Name = "user at example.com<mailto:user at example.com>"
> NAS-IP-Address = 192.168.1.1
cool. incoming request from NAS
> [suffix] Looking up realm "example.com<http://example.com>" for User-Name = "user at example.com<mailto:user at example.com>"
> [suffix] Found realm "example.com<http://example.com>"
> [suffix] Adding Stripped-User-Name = "user"
> [suffix] Adding Realm = "example.com<http://example.com>"
> [suffix] Proxying request from user user to realm example.com<http://example.com>
> [suffix] Preparing to proxy authentication request to realm "example.com<http://example.com>"
> ++[suffix] returns updated
> [eap] Request is supposed to be proxied to Realm example.com<http://example.com>. Not doing EAP.
hmm. okay
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
okay. EAP user-name doesnt match the original identity...and no user found either.
2 things you need to ensure
1) in proxy.conf you have 'nostrip' defined for example.com
2) in users file you include the details for the user 'user' eg
user Cleartext-Password := "password"
alan
More information about the Freeradius-Users
mailing list