Outer vs. inner ID in Login OK messages

Martin Pauly pauly at hrz.uni-marburg.de
Wed Jan 23 16:08:12 CET 2019 

Hi,

I have a question about the "Login OK" messages in radius.log.
We offer both PEAP/MS-CHAPv2 and EAP-TTLS/PAP to our clients
Server is FR 3.0.17 on Debian. Upon succesful authentication,
the outer and inner virtual server each append a Login OK
message to radius.log - so far, so good.
Assume the outer id is set to eduroam at staff.uni-marburg.de.
With PEAP, I get
Wed Jan 23 15:43:45 2019 : Auth: (4903823)   Login OK: [pauly1] (from client wlc3 port 13 cli 20:64:32:00:00:01 via TLS tunnel)
Wed Jan 23 15:43:45 2019 : Auth: (4903824) Login OK: [eduroam at staff.uni-marburg.de] (from client wlc3 port 13 cli 20:64:32:00:00:01)

With EAP-TTLS/PAP, I get
Wed Jan 23 15:42:52 2019 : Auth: (4902040)   Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01 via TLS tunnel)
Wed Jan 23 15:42:52 2019 : Auth: (4902040) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:00:00:01)

So it would seem that in the latter case the outer server still logs the inner id.
Is this normal default behavior? Logging the outer id consistently would be really helpful in our case
as we use it to trigger a different certificate to be presented to the client.

In the post-auth sections of the virtual servers I have:
----------------- sites-available/default --------------
post-auth {
         ...
         update {
                 &reply: += &session-state:
         }
----------------------------------------------------------

-------------- sites-available/inner-tunnel --------------
post-auth {
         ...
        update {
                 &outer.session-state: += &reply:
                 &outer.request:User-Name := &User-Name
         }
----------------------------------------------------------


The debug log does not tell me much in either case, here are the respective post-auth snippets (can provide full if needed):

PEAP/MS-CHAPv2:
(18)   # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
(18)     post-auth {
(18)       update {
(18)         &outer.session-state::Airespace-Interface-Name += &reply:Airespace-Interface-Name[*] -> 'edu_staff_nat'
(18)         &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> 802
(18)         &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed
(18)         &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed
(18)         &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xb7ea5ac23b2680523f909d667460c17d
(18)         &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0x2c8284d442c7f3d635501c3df519b1ec
(18)         &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x030e0004
(18)         &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(18)         &outer.session-state::User-Name += &reply:User-Name[*] -> 'pauly1 at staff.uni-marburg.de'
(18)         &outer.request:User-Name := &User-Name -> 'pauly1 at staff.uni-marburg.de'
(18)       } # update = noop
(18)       update outer.session-state {
(18)         MS-MPPE-Encryption-Policy !* ANY
(18)         MS-MPPE-Encryption-Types !* ANY
(18)         MS-MPPE-Send-Key !* ANY
(18)         MS-MPPE-Recv-Key !* ANY
(18)         Message-Authenticator !* ANY
(18)         EAP-Message !* ANY
(18)         Proxy-State !* ANY
(18)       } # update outer.session-state = noop
(18)     } # post-auth = noop
(18)   Login OK: [pauly1 at staff.uni-marburg.de] (from client rst2 port 13 cli 4c:34:88:e0:aa:42 via TLS tunnel)
(18) } # server inner-tunnel

(19) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(19)   post-auth {
(19)     update {
(19)       &reply::Airespace-Interface-Name += &session-state:Airespace-Interface-Name[*] -> 'edu_staff_nat'
(19)       &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> 802
(19)       &reply::User-Name += &session-state:User-Name[*] -> 'pauly1 at staff.uni-marburg.de'
(19)     } # update = noop
(19)     [exec] = noop
(19)     policy remove_reply_message_if_eap {
(19)       if (&reply:EAP-Message && &reply:Reply-Message) {
(19)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(19)       else {
(19)         [noop] = noop
(19)       } # else = noop
(19)     } # policy remove_reply_message_if_eap = noop
(19)   } # post-auth = noop
(19) Login OK: [eduroam at staff.uni-marburg.de] (from client rst2 port 13 cli 4c:34:88:e0:aa:42)


EAP-TTLS/PAP:
(231)   # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
(231)     post-auth {
(231)       update {
(231)         &outer.session-state::Airespace-Interface-Name += &reply:Airespace-Interface-Name[*] -> 'edu_staff_nat'
(231)         &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> 802
(231)         &outer.request:User-Name := &User-Name -> 'pauly1'
(231)       } # update = noop
(231)       update outer.session-state {
(231)         MS-MPPE-Encryption-Policy !* ANY
(231)         MS-MPPE-Encryption-Types !* ANY
(231)         MS-MPPE-Send-Key !* ANY
(231)         MS-MPPE-Recv-Key !* ANY
(231)         Message-Authenticator !* ANY
(231)         EAP-Message !* ANY
(231)         Proxy-State !* ANY
(231)       } # update outer.session-state = noop
(231)     } # post-auth = noop
(231)   Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:3f:80:ef via TLS tunnel)
(231) } # server inner-tunnel

(231) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(231)   post-auth {
(231)     update {
(231)       &reply::Airespace-Interface-Name += &session-state:Airespace-Interface-Name[*] -> 'edu_staff_nat'
(231)       &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> 802
(231)     } # update = noop
(231)     [exec] = noop
(231)     policy remove_reply_message_if_eap {
(231)       if (&reply:EAP-Message && &reply:Reply-Message) {
(231)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(231)       else {
(231)         [noop] = noop
(231)       } # else = noop
(231)     } # policy remove_reply_message_if_eap = noop
(231)   } # post-auth = noop
(231) Login OK: [pauly1] (from client rst2 port 13 cli 20:64:32:3f:80:ef)


Any ideas?

TIA, Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5393 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190123/ae8ebe15/attachment.bin>

More information about the Freeradius-Users mailing list