Hi List, FreeRADIUS Version 2.1.12 It has been brought to my attention that my FreeRadius servers are responding to proxied requests from eduroam without the suffix portion of the user name. This is causing accounting issues for other institutions. In inner-tunnel, I have tried to add: post-auth { update outer.reply { User-Name = "%{request:User-Name}" } } I also have use_tunneled_reply = yes in eap.conf I see the Access-Accept messages going out, without the suffix: Sending Access-Accept of id 62 to 142.231.112.1 port 53243 MS-MPPE-Recv-Key = 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47 MS-MPPE-Send-Key = 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338 What I want to see is: Sending Access-Accept of id 62 to 142.231.112.1 port 53243 MS-MPPE-Recv-Key = 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47 MS-MPPE-Send-Key = 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1@realm.com" Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338 What am I missing? Thanks, Dave
Hi David, Le 12/08/2015 17:02, David Aldwinckle a écrit :
FreeRADIUS Version 2.1.12
It has been brought to my attention that my FreeRadius servers are responding to proxied requests from eduroam without the suffix portion of the user name. This is causing accounting issues for other institutions.
In inner-tunnel, I have tried to add:
post-auth { update outer.reply { User-Name = "%{request:User-Name}" } }
I also have use_tunneled_reply = yes in eap.conf
I have the same version of freeradius (because Ubuntu 14.04...). To achieve what you want, I put in the file sites-enables/default (wich is a link to the file in sites-available), inside the section authorize : # We reject login without realm (to force users to put the realm, even locally) if ( request:Realm == NULL ) { update reply { Reply-Message := "Username should be in the format username@domain" } reject } In my case, it works. Best Regards, Alain -- Administrateur Système/Réseau Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20) Centre de Recherche Alcatel Data IV - Marcoussis route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34
Hi,
I have the same version of freeradius (because Ubuntu 14.04...). To achieve what you want, I put in the file sites-enables/default (wich is a link to the file in sites-available), inside the section authorize :
# We reject login without realm (to force users to put the realm, even locally) if ( request:Realm == NULL ) { update reply { Reply-Message := "Username should be in the format username@domain" } reject }
these are users login in at another site - so they have to have a realm or they wouldnt get back to their home site. already replied to the issue of how this might be acheived for the reply field. however, for what you propose, you are better off using a policy in policy.conf that does multiple checks for a valid name (including having a "@") - this is effective, scalable and ensures ou have a single defined policy for any V-S you may have and ALSO gets you more ready for 3.x :-) alan
Hi Alan, Le 12/08/2015 17:46, A.L.M.Buxey@lboro.ac.uk a écrit :
however, for what you propose, you are better off using a policy in policy.conf that does multiple checks for a valid name (including having a "@") - this is effective, scalable and ensures ou have a single defined policy for any V-S you may have and ALSO gets you more ready for 3.x:-)
I forgot to answer, but thanks for the advice. I plan to upgrade to 3.x when it is available in Ubuntu LTS (16.04). There is already this policy in the file : # Forbid all attempts to login via realms. # deny_realms { if (User-Name =~ /@|\\/) { reject } } So I suppose it would be the opposite, but requesting another regex... Thanks, Alain -- Administrateur Système/Réseau Laboratoire de Photonique et Nanostructures (LPN/CNRS - UPR20) Centre de Recherche Alcatel Data IV - Marcoussis route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34
Hi, On Thu, Aug 13, 2015 at 06:19:57PM +0200, Alain Péan wrote:
I forgot to answer, but thanks for the advice. I plan to upgrade to 3.x when it is available in Ubuntu LTS (16.04).
It already is... http://wiki.freeradius.org/building/Build#Building-Debian-packages Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
FreeRADIUS Version 2.1.12
first advice - upgrade to at least 2.2.9
It has been brought to my attention that my FreeRadius servers are responding to proxied requests from eduroam without the suffix portion of the user name. This is causing accounting issues for other institutions.
yep.... but the code you have added would do something worse and expose the real inner user-name of the user, therefore totally destroying the point of anonymous outerid and revealing who they really are to the site they are at. breaking privacy/anonymity. IF their outer-id already has their details eg user1@realm.com - then you can reply with that...but if their outerid is just annymous@realm.com or just @realm.com then you need to reply with that in the outer-id
I see the Access-Accept messages going out, without the suffix:
Sending Access-Accept of id 62 to 142.231.112.1 port 53243 MS-MPPE-Recv-Key = 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47 MS-MPPE-Send-Key = 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338
probably because in the inner-id they only have their username without the realm anyway? update the reply in outer-id post-auth - looking at original request there...and ensuring you dont break what they as users chose to have configured alan
Hi Alan, Thanks for the advice. I know the version is a little old. I am waiting for 3.1 final before doing an overhaul. Our clients are instructed to use their real userid as the outer and inner ID. I wasn't really clear on your final suggestion. I interpreted it as follows: in sites-enabled/default add post-auth { ... update reply { User-Name = "%{outer.request:User-Name}" } ... } That did not have the desired effect. Did I misunderstand? Thanks, Dave On Wed, 2015-08-12 at 15:41 +0000, A.L.M.Buxey@lboro.ac.uk wrote: Hi,
FreeRADIUS Version 2.1.12
first advice - upgrade to at least 2.2.9
It has been brought to my attention that my FreeRadius servers are responding to proxied requests from eduroam without the suffix portion of the user name. This is causing accounting issues for other institutions.
yep.... but the code you have added would do something worse and expose the real inner user-name of the user, therefore totally destroying the point of anonymous outerid and revealing who they really are to the site they are at. breaking privacy/anonymity. IF their outer-id already has their details eg user1@realm.com<mailto:user1@realm.com> - then you can reply with that...but if their outerid is just annymous@realm.com<mailto:annymous@realm.com> or just @realm.com then you need to reply with that in the outer-id
I see the Access-Accept messages going out, without the suffix:
Sending Access-Accept of id 62 to 142.231.112.1 port 53243 MS-MPPE-Recv-Key = 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47 MS-MPPE-Send-Key = 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338
probably because in the inner-id they only have their username without the realm anyway? update the reply in outer-id post-auth - looking at original request there...and ensuring you dont break what they as users chose to have configured alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Thanks for the advice. I know the version is a little old. I am waiting for 3.1 final before doing an overhaul.
3.0.x is the current supported released - 3.1.x is developmental/experimental..... it likely wont become 'final' , the next stable version probably being 3.2.x
That did not have the desired effect. Did I misunderstand?
you'll need to look at the debug mode for a client (use radmin to turen on full debug for just one calling-station-Id to see what is happening to each attribute through the authentication, then you can see if you need to use request:User-Name or just User-NAme etc. you could also assign a temporary attribute to the request as it comes in and use that if you are doing things with the User-Name alan
Hi Alan, Further to your message about versions: will 3.0.x eventually have a "final" release? I see that 3.0.10 is the most recent in the repo. Thanks, Dave On Wed, 2015-08-12 at 18:48 +0000, A.L.M.Buxey@lboro.ac.uk wrote: Hi,
Thanks for the advice. I know the version is a little old. I am waiting for 3.1 final before doing an overhaul.
3.0.x is the current supported released - 3.1.x is developmental/experimental..... it likely wont become 'final' , the next stable version probably being 3.2.x
That did not have the desired effect. Did I misunderstand?
you'll need to look at the debug mode for a client (use radmin to turen on full debug for just one calling-station-Id to see what is happening to each attribute through the authentication, then you can see if you need to use request:User-Name or just User-NAme etc. you could also assign a temporary attribute to the request as it comes in and use that if you are doing things with the User-Name alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Aug 13, 2015 at 01:31:32PM +0000, David Aldwinckle wrote:
Further to your message about versions: will 3.0.x eventually have a "final" release?
All good things come to an end, eventually. But that's not likely to be for a while. 2.2.x has only just about finished, and that was 18 months or so after 3.0.x came out. It's code, and it's stable. Why worry about version numbers? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Aug 13, 2015, at 9:31 AM, David Aldwinckle <daldwinc@uwaterloo.ca> wrote:
Hi Alan,
Further to your message about versions: will 3.0.x eventually have a "final" release?
Yes, just as 2.2.x will have a final release very soon, and just as v1.x.x had its final release back in 2008. After the 'final' release the branch is no longer maintained however, so it's not very useful to be developing new services with it. The branches don't get maintained forever, FreeRADIUS != Windows.
I see that 3.0.10 is the most recent in the repo.
That's the next release. The various packaging files and the changelog are updated immediately after every release, to reflect the next version. -Arran
Ah, yea. I guess that was a foolish question. Thanks for entertaining it, anyway. Dave On Thu, 2015-08-13 at 09:40 -0400, Arran Cudbard-Bell wrote:
On Aug 13, 2015, at 9:31 AM, David Aldwinckle <daldwinc@uwaterloo.ca<mailto:daldwinc@uwaterloo.ca>> wrote:
Hi Alan,
Further to your message about versions: will 3.0.x eventually have a "final" release?
Yes, just as 2.2.x will have a final release very soon, and just as v1.x.x had its final release back in 2008. After the 'final' release the branch is no longer maintained however, so it's not very useful to be developing new services with it. The branches don't get maintained forever, FreeRADIUS != Windows.
I see that 3.0.10 is the most recent in the repo.
That's the next release. The various packaging files and the changelog are updated immediately after every release, to reflect the next version. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in sites-enabled/default add
post-auth { ... update reply { User-Name = "%{outer.request:User-Name}" } ... }
That did not have the desired effect. Did I misunderstand?
Almost there! You need to use this in either the inner-tunnel (which has access to outer.request), or use just "%{request:User-Name}" in the default server. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi Stefan, That makes sense! I moved it to the inner tunnel and also changed the assignment operator to := Its working great. Cheers, Dave On Thu, 2015-08-13 at 08:28 +0100, Stefan Paetow wrote:
in sites-enabled/default add
post-auth { ... update reply { User-Name = "%{outer.request:User-Name}" } ... }
That did not have the desired effect. Did I misunderstand?
Almost there! You need to use this in either the inner-tunnel (which has access to outer.request), or use just "%{request:User-Name}" in the default server. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net<mailto:stefanp@jabber.dev.ja.net> skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That makes sense! I moved it to the inner tunnel and also changed the assignment operator to := Its working great.
Whoop whoop! :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alain Péan -
Arran Cudbard-Bell -
David Aldwinckle -
Matthew Newton -
Stefan Paetow