Problem with using inner User-Name in outgoing Access-Accept packet

Alex Sharaz alex.sharaz at york.ac.uk
Wed Jul 3 17:45:01 CEST 2019


Hi,

 I’m having a bit of trouble with getting the inner-tunnel username to
appear  in the outgoing Access-Accept packet.


Background info


FR 3.0.19

Collaboration with York City council to provide eduroam in city centre. As
auth and traffic comes via  us we need then to send appropriate  accounting
info back to us hence the need to pass back a valid username in the
access-accept instead of just an anonymous one


Am using sesion-state to pass inner User-Name back to the outer reply


I’ve selectively enabled debugging at both the inner and outer level just
for auth requests that have an outer anonymous user-name of @york.ac.uk.
and an inner  User-Name of <fred>@york.ac.uk. For those people that haven’t
configured their clients properly and have outer=inner=userid at york.ac.uk …
stuff works :-(


Long and short of it is I can either have the anonymous outer realm in the
access-accept user-name or have both the outer and inner user-names in the
access accept packet which is illegal.


What am I doing wrong?


Rgds

Alex



Outer processing as shown below


//////////////////////

#  Post-Authentication

#  Once we KNOW that the user has been authenticated, there are

#  additional steps we can take.

post-auth {

#

# We might have to debug some traffic

#

     if  ( ("%{client:shortname}"  == "yorkcc") && (User-Name == "@
york.ac.uk") )  {

               update control {

                  Tmp-String-2 := "%{debug:1}"

               }

     }

#

#  If you need to have a State attribute, you can

#  add it here.  e.g. for later CoA-Request with

#  State, and Service-Type = Authorize-Only.

#

# if (!&reply:State) {

# update reply {

# State := "0x%{randstr:16h}"

# }

# }


#

#  For EAP-TTLS and PEAP, add the cached attributes to the reply.

#  The "session-state" attributes are automatically cached when

#  an Access-Challenge is sent, and automatically retrieved

#  when an Access-Request is received.

#

#  The session-state attributes are automatically deleted after

#  an Access-Reject or Access-Accept is sent.

#

        #  If both session-state and reply contain a User-Name attribute,
remove

        #  the one in the reply if it is just a copy of the one in the
request, so

        #  we don't end up with two User-Name attributes.


        if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name) ) {

            update reply {

                User-Name !* ANY

           }

        }


#       Just to make really sure

            update reply {

                User-Name !* ANY

           }


#        if ( session-state:User-Name !="@york.ac.uk" &&
session-state:User-Name =~ /york.ac.uk$/i) {

#            update reply {

#                User-Name := session-state:User-Name

#     }

#        }

#

# So this should put the inner User-name into the reply ... but it doesn't


#

update {

    &reply: += &session-state:

}

#  Get an address from the IP Pool.

# main_pool



#  Create the CUI value and add the attribute to Access-Accept.

#  Uncomment the line below if *returning* the CUI.

cui


        #  Create empty accounting session to make simultaneous check

#  more robust. See the accounting queries configuration in

#  raddb/mods-config/sql/main/*/queries.conf for details.

#

#  The "sql_session_start" policy is defined in

#  raddb/policy.d/accounting.  See that file for more details.

# sql_session_start


#

#  If you want to have a log of authentication replies,

#  un-comment the following line, and enable the

#  'detail reply_log' module.

# reply_log


#

#  After authenticating the user, do another SQL query.

#

#  See "Authentication Logging Queries" in mods-available/sql


#

#  Instead of sending the query to the SQL server,

#  write it into a log file.

#

# sql_log


#

#  Un-comment the following if you want to modify the user's object

#  in LDAP after a successful login.

#

# ldap


# For Exec-Program and Exec-Program-Wait

exec


#

#  Calculate the various WiMAX keys.  In order for this to work,

#  you will need to define the WiMAX NAI, usually via

#

# update request {

#       WiMAX-MN-NAI = "%{User-Name}"

# }

#

#  If you want various keys to be calculated, you will need to

#  update the reply with "template" values.  The module will see

#  this, and replace the template values with the correct ones

#  taken from the cryptographic calculations.  e.g.

#

# update reply {

# WiMAX-FA-RK-Key = 0x00

# WiMAX-MSK = "%{EAP-MSK}"

# }

#

#  You may want to delete the MS-MPPE-*-Keys from the reply,

#  as some WiMAX clients behave badly when those attributes

#  are included.  See "raddb/modules/wimax", configuration

#  entry "delete_mppe_keys" for more information.

#

# wimax



#  If there is a client certificate (EAP-TLS, sometimes PEAP

#  and TTLS), then some attributes are filled out after the

#  certificate verification has been performed.  These fields

#  MAY be available during the authentication, or they may be

#  available only in the "post-auth" section.

#

#  The first set of attributes contains information about the

#  issuing certificate which is being used.  The second

#  contains information about the client certificate (if

#  available).

#

# update reply {

#       Reply-Message += "%{TLS-Cert-Serial}"

#       Reply-Message += "%{TLS-Cert-Expiration}"

#       Reply-Message += "%{TLS-Cert-Subject}"

#       Reply-Message += "%{TLS-Cert-Issuer}"

#       Reply-Message += "%{TLS-Cert-Common-Name}"

#       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"

#

#       Reply-Message += "%{TLS-Client-Cert-Serial}"

#       Reply-Message += "%{TLS-Client-Cert-Expiration}"

#       Reply-Message += "%{TLS-Client-Cert-Subject}"

#       Reply-Message += "%{TLS-Client-Cert-Issuer}"

#       Reply-Message += "%{TLS-Client-Cert-Common-Name}"

#       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"

# }


#  Insert class attribute (with unique value) into response,

#  aids matching auth and acct records, and protects against duplicate

#  Acct-Session-Id. Note: Only works if the NAS has implemented

#  RFC 2865 behaviour for the class attribute, AND if the NAS

#  supports long Class attributes.  Many older or cheap NASes

#  only support 16-octet Class attributes.

insert_acct_class


#  MacSEC requires the use of EAP-Key-Name.  However, we don't

#  want to send it for all EAP sessions.  Therefore, the EAP

#  modules put required data into the EAP-Session-Id attribute.

#  This attribute is never put into a request or reply packet.

#

#  Uncomment the next few lines to copy the required data into

#  the EAP-Key-Name attribute

# if (&reply:EAP-Session-Id) {

# update reply {

# EAP-Key-Name := &reply:EAP-Session-Id

# }

# }


#  Remove reply message if the response contains an EAP-Message

remove_reply_message_if_eap


#

#  Access-Reject packets are sent through the REJECT sub-section of the

#  post-auth section.

#

#  Add the ldap module name (or instance) if you have set

#  'edir_account_policy_check = yes' in the ldap module configuration

#

#  The "session-state" attributes are not available here.

#

Post-Auth-Type REJECT {

# log failed authentications in SQL, too.

  if (User-Name != "cisco-probe") {

  detail-filebeat

-sql

  }

attr_filter.access_reject


# Insert EAP-Failure message if the request was

# rejected by policy instead of because of an

# authentication failure

eap


#  Remove reply message if the response contains an EAP-Message

remove_reply_message_if_eap

}

#

#  Filter access challenges.

#

Post-Auth-Type Challenge {

# remove_reply_message_if_eap

# attr_filter.access_challenge.post-auth

}


}

/////////////////////


The debugging inn radius log shows an ear auth request with an
access-accepts packet with a User-Name of @york.ac.uk see below. If I
enabled auth_log I’d see the same thing


Wed Jul  3 15:43:17 2019 : Debug: (924582) Virtual server inner-tunnel
received request

Wed Jul  3 15:43:17 2019 : Debug: (924582)   EAP-Message = 0x020a00061a03

Wed Jul  3 15:43:17 2019 : Debug: (924582)   FreeRADIUS-Proxied-To =
127.0.0.1

Wed Jul  3 15:43:17 2019 : Debug: (924582)   User-Name = "em878 at york.ac.uk"

Wed Jul  3 15:43:17 2019 : Debug: (924582)   State =
0xdcc2c059ddc8da2ddc351a9518782ae0

Wed Jul  3 15:43:17 2019 : Debug: (924582) server inner-tunnel {

Wed Jul  3 15:43:17 2019 : Debug: (924582)   # Executing section authorize
from file /etc/freeradius/sites-enabled/inner-tunnel

Wed Jul  3 15:43:17 2019 : Debug: (924582)   # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel

Wed Jul  3 15:43:17 2019 : Debug: (924582) eap: Expiring EAP session with
state 0xcce8732ccce16987

Wed Jul  3 15:43:17 2019 : Debug: (924582) eap: Finished EAP session with
state 0xdcc2c059ddc8da2d

Wed Jul  3 15:43:17 2019 : Debug: (924582) eap: Previous EAP request found
for state 0xdcc2c059ddc8da2d, released from the list

Wed Jul  3 15:43:17 2019 : Debug: (924582)   # Executing section post-auth
from file /etc/freeradius/sites-enabled/inner-tunnel

Wed Jul  3 15:43:17 2019 : Debug: (924582) sql: SQL query returned: success

Wed Jul  3 15:43:17 2019 : Debug: (924582) sql: 1 record(s) updated

Wed Jul  3 15:43:17 2019 : Auth: (924582)   Login OK: [em878 at york.ac.uk]
(from client yorkcc port 0 via TLS tunnel)

Wed Jul  3 15:43:17 2019 : Debug: (924582) } # server inner-tunnel

Wed Jul  3 15:43:17 2019 : Debug: (924582) Virtual server sending reply

Wed Jul  3 15:43:17 2019 : Debug: (924582)   Chargeable-User-Identity :=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863

Wed Jul  3 15:43:17 2019 : Debug: (924582) eap: EAP session adding
&reply:State = 0x6782f4146d89edcd

Wed Jul  3 15:43:17 2019 : Debug: (924582) # Executing group from file
/etc/freeradius/sites-enabled/eduroam

Wed Jul  3 15:43:17 2019 : Debug: (924582)   TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"

Wed Jul  3 15:43:17 2019 : Debug: (924582)   TLS-Session-Version = "TLS 1.2"

Wed Jul  3 15:43:17 2019 : Debug: (924582)   User-Name := "em878 at york.ac.uk"

Wed Jul  3 15:43:17 2019 : Debug: (924582)   Chargeable-User-Identity +=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863

Wed Jul  3 15:43:17 2019 : Debug: (924582) Sent Access-Challenge Id 77 from
144.32.129.2:1812 to 10.237.0.3:40803 length 0

Wed Jul  3 15:43:17 2019 : Debug: (924582)   EAP-Message =
0x010b002e1900170303002353ff18d19f60e380f99ac2de9f86b64211108cd7e8ba6fdf64afc0fb7c6e1638ad466f

Wed Jul  3 15:43:17 2019 : Debug: (924582)   Message-Authenticator =
0x00000000000000000000000000000000

Wed Jul  3 15:43:17 2019 : Debug: (924582)   State =
0x6782f4146d89edcd473492427f93e0e2

Wed Jul  3 15:43:17 2019 : Debug: (924583) # Executing group from file
/etc/freeradius/sites-enabled/eduroam

Wed Jul  3 15:43:17 2019 : Debug: (924583) eap: Expiring EAP session with
state 0xcce8732ccce16987

Wed Jul  3 15:43:17 2019 : Debug: (924583) eap: Finished EAP session with
state 0x6782f4146d89edcd

Wed Jul  3 15:43:17 2019 : Debug: (924583) eap: Previous EAP request found
for state 0x6782f4146d89edcd, released from the list

Wed Jul  3 15:43:17 2019 : Debug: (924583) # Executing section post-auth
from file /etc/freeradius/sites-enabled/eduroam

Wed Jul  3 15:43:17 2019 : Debug: (924583) cuisql: SQL query returned:
success

Wed Jul  3 15:43:17 2019 : Debug: (924583) cuisql: 0 record(s) updated

Wed Jul  3 15:43:17 2019 : Debug: (924583) cuisql: No additional queries
configured

Wed Jul  3 15:43:17 2019 : Debug: (924583) sql: SQL query returned: success

Wed Jul  3 15:43:17 2019 : Debug: (924583) sql: 1 record(s) updated

Wed Jul  3 15:43:17 2019 : Auth: (924583) Login OK: [@york.ac.uk] (from
client yorkcc port 32 cli A8-5C-2C-51-B6-93)

Wed Jul  3 15:43:17 2019 : Debug: (924583) Sent Access-Accept Id 78 from
144.32.129.2:1812 to 10.237.0.3:40803 length 0

Wed Jul  3 15:43:17 2019 : Debug: (924583)   MS-MPPE-Recv-Key =
0xdd0b78bdc3d590ab0f52b72a6249c0cb737d5be7ceab405265a8f60d6a9ce835

Wed Jul  3 15:43:17 2019 : Debug: (924583)   MS-MPPE-Send-Key =
0xa84727723cbe1877c2d43913627ccb09c3d960e4729ec04fec6f127bec384b70

Wed Jul  3 15:43:17 2019 : Debug: (924583)   EAP-Message = 0x030b0004

Wed Jul  3 15:43:17 2019 : Debug: (924583)   Message-Authenticator =
0x00000000000000000000000000000000

Wed Jul  3 15:43:17 2019 : Debug: (924583)   User-Name := "@york.ac.uk"

Wed Jul  3 15:43:17 2019 : Debug: (924583)   Chargeable-User-Identity +=
0x65323133646431353864366238373633383037396534656632373539383264386439363136623863

Wed Jul  3 15:43:17 2019 : Debug: (924583)   Class =
0x656475726f616d312e796f726b2e61632e756b61693a3564333131653730306537613431663661643362343666323863646236313239


///////////


If I explicitly add the session-state User-Name value to the reply packet
by uncommenting the


#        if ( session-state:User-Name !="@york.ac.uk" &&
session-state:User-Name =~ /york.ac.uk$/i) {

#            update reply {

#                User-Name := session-state:User-Name

#     }

#        }


Then what I get are two User-Names in the Access -Accept packet.. both the
outer and the inner … see below


Wed Jul  3 16:13:26 2019 : Auth: (9706)   Login OK: [kp951 at york.ac.uk]
(from client yorkcc port 0 via TLS tunnel)

Wed Jul  3 16:13:26 2019 : Debug: (9706) } # server inner-tunnel

Wed Jul  3 16:13:26 2019 : Debug: (9706) Virtual server sending reply

Wed Jul  3 16:13:26 2019 : Debug: (9706)   Chargeable-User-Identity :=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263

Wed Jul  3 16:13:26 2019 : Debug: (9706) eap: EAP session adding
&reply:State = 0x4d9c1fde47970696

Wed Jul  3 16:13:26 2019 : Debug: (9706) # Executing group from file
/etc/freeradius/sites-enabled/eduroam

Wed Jul  3 16:13:26 2019 : Debug: (9706)   TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"

Wed Jul  3 16:13:26 2019 : Debug: (9706)   TLS-Session-Version = "TLS 1.2"

Wed Jul  3 16:13:26 2019 : Debug: (9706)   User-Name := "kp951 at york.ac.uk"

Wed Jul  3 16:13:26 2019 : Debug: (9706)   Chargeable-User-Identity +=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263

Wed Jul  3 16:13:26 2019 : Debug: (9706) Sent Access-Challenge Id 105 from
144.32.129.2:1812 to 10.237.0.3:35838 length 0

Wed Jul  3 16:13:26 2019 : Debug: (9706)   EAP-Message =
0x010b002e19001703030023ebc680c47273a6f5925d906f94c12e86f19d43045b2b2a030efd6968dc6e715679ca85

Wed Jul  3 16:13:26 2019 : Debug: (9706)   Message-Authenticator =
0x00000000000000000000000000000000

Wed Jul  3 16:13:26 2019 : Debug: (9706)   State =
0x4d9c1fde47970696b6b09be82cc57d97

Wed Jul  3 16:13:26 2019 : Debug: (9708) # Executing group from file
/etc/freeradius/sites-enabled/eduroam

Wed Jul  3 16:13:26 2019 : Debug: (9708) eap: Expiring EAP session with
state 0x2ce89ba92ce98291

Wed Jul  3 16:13:26 2019 : Debug: (9708) eap: Finished EAP session with
state 0x4d9c1fde47970696

Wed Jul  3 16:13:26 2019 : Debug: (9708) eap: Previous EAP request found
for state 0x4d9c1fde47970696, released from the list

Wed Jul  3 16:13:26 2019 : Debug: (9708) # Executing section post-auth from
file /etc/freeradius/sites-enabled/eduroam

Wed Jul  3 16:13:26 2019 : Debug: (9708) cuisql: SQL query returned: success

Wed Jul  3 16:13:26 2019 : Debug: (9708) cuisql: 0 record(s) updated

Wed Jul  3 16:13:26 2019 : Debug: (9708) cuisql: No additional queries
configured

Wed Jul  3 16:13:26 2019 : Debug: (9708) sql: SQL query returned: success

Wed Jul  3 16:13:26 2019 : Debug: (9708) sql: 1 record(s) updated

Wed Jul  3 16:13:26 2019 : Auth: (9708) Login OK: [@york.ac.uk] (from
client yorkcc port 88 cli 24-18-1D-38-15-06)

Wed Jul  3 16:13:26 2019 : Debug: (9708) Sent Access-Accept Id 106 from
144.32.129.2:1812 to 10.237.0.3:35838 length 0

Wed Jul  3 16:13:26 2019 : Debug: (9708)   MS-MPPE-Recv-Key =
0xa2d4dd7ba73b43f9caa398ee2aec52ef4acb5568c70099a88582dd5a7ce79611

Wed Jul  3 16:13:26 2019 : Debug: (9708)   MS-MPPE-Send-Key =
0x60347e94d1057b1ad051aff95b77af98fa4b1d56088e3b73ce307e7ae9b0ffe6

Wed Jul  3 16:13:26 2019 : Debug: (9708)   EAP-Message = 0x030b0004

Wed Jul  3 16:13:26 2019 : Debug: (9708)   Message-Authenticator =
0x00000000000000000000000000000000

Wed Jul  3 16:13:26 2019 : Debug: (9708)   User-Name := "@york.ac.uk"

Wed Jul  3 16:13:26 2019 : Debug: (9708)   User-Name += "kp951 at york.ac.uk"

Wed Jul  3 16:13:26 2019 : Debug: (9708)   Chargeable-User-Identity +=
0x33386639326231363161646238323162336336646461313566373563316230326233323163643263

Wed Jul  3 16:13:26 2019 : Debug: (9708)   Class =
0x656475726f616d312e796f726b2e61632e756b61693a3839616465343166376130313464353535356464663466313739306565663432


More information about the Freeradius-Users mailing list