Tunneled-User-Name
Alexander Clouter
alex at digriz.org.uk
Mon Jul 11 17:24:37 CEST 2011
d.thembiliyagoda at lancaster.ac.uk wrote:
>
> I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius
> server.How can I get the tunnelled User-Name (User-Name used in inner
> authentication phase) using unlang in FreeRADIUS server? Now I can only
> get the User-Name used for the outer authentication (ex: anonymous).
>
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a
double-inner in play. The best suggestion I have (after years of
tweaking it to be just right) is in your inner authorize use:
----
authorize {
update outer.request {
User-Name := "%{request:User-Name}"
}
update reply {
User-Name := "%{request:User-Name}"
}
[snipped]
update reply {
Auth-Type := "%{control:Auth-Type}"
}
}
----
On the outer layer, you then use
'%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This
means you get the inner username for:
* PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications
* when your inner server rejects the request (ie. bad password) (this
is why you stuff the inner username into outer.request
* TTLS/PEAP has the option of TLS cached sessions which is *good*,
doing things this way means you still get the inner name for
resumed sessions
As a bonus, the Auth-Type is extractable..if you use TLS cached
sessions, then this will be EAP.
Cheers
--
Alexander Clouter
.sigmonster says: It was Penguin lust... at its ugliest.
More information about the Freeradius-Users
mailing list