FreeRadius unauthorized access
Alan DeKok
aland at deployingradius.com
Sat Feb 1 19:54:52 CET 2014
Mike Diggins wrote:
> A "normal" authentications look like this:
> Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client
> wlc-6 port 0 via TLS tunnel)
> Jan 31 17:43:08 rad01 radiusd[702]: Login OK: [justme] (from client
> wlc-6 port 13 cli xx-xx-xx-xx-xx-xx)
>
> So these odd looking ones are missing the "TLS tunnel" line and
> apparently that is the inner tunnel - the one sent to AD for
> authentication, correct?
Yes. The two lines above are the same user, inner + outer tunnel.
> If the outer identity name is not valid then why does FR log "Login OK"
Because the inner tunnel authenticated the user. The name in the
outer tunnel is informative. It's not really used without the other.
> and under what situation would I see one without the other?
You won't. Where the user is authenticated via PEAP, you should
ALWAYS see two "Login OK" lines. However, the names may be different.
> Is it possible to set the inner/outer identity to be different just
> using a regular client OS?
Yes.
Alan DeKok.
More information about the Freeradius-Users
mailing list