Outer User-Name is not anonymized

Vieri rentorbuy at yahoo.com
Thu Dec 14 09:27:43 CET 2017


Hi,

I'd like to know why FR thinks that the outer User-Name is not anonymized when a Windows client connects with supposedly anonymized identity (blank or 'anon').
Is it because the domain part is always passed even if the user is blank?

Does it all rely on the filter_inner_identity function in policy.d?
If that's the case then this function expects @ as the user/domain seperator. Windows clients send \ as the seperator.
So I guess I can either ignore the warning or change the function.

(8) Received Access-Request Id 0 from 10.215.147.140:49154 to 10.215.144.91:1812 length 147
(8)   NAS-IP-Address = 10.215.147.140
(8)   NAS-Port-Type = Ethernet
(8)   NAS-Port = 43
(8)   User-Name = "DOMAIN\\"
(8)   State = 0x8f4c1991884500fd085fc9de274e79da
(8)   Calling-Station-Id = "DC-4A-3E-06-11-46"
[...]
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "DOMAIN\", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: Looking up realm "DOMAIN" for User-Name = "DOMAIN\"
(8) ntdomain: No such realm "DOMAIN"
(8)     [ntdomain] = noop
(8)     [expiration] = noop
(8)     [logintime] = noop
(8)   } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x052a3c3004232630
(8) eap: Finished EAP session with state 0x8f4c1991884500fd
(8) eap: Previous EAP request found for state 0x8f4c1991884500fd, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to DOMAIN\adminpc
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020900061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "DOMAIN\\adminpc"
(8) eap_peap:   State = 0x052a3c3004232630e22377547b424230
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020900061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "DOMAIN\\adminpc"
(8)   State = 0x052a3c3004232630e22377547b424230
(8) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.

Thanks,

Vieri


More information about the Freeradius-Users mailing list