"anonymous" user connected to wireless
I'm having a strange problem, for one specific user, wireless system dashboard and radius accounting db show connected username as "anonymous". User credentials are stored in database and Calling-Station-Id is used to prevent unauthorized devices from connecting. FreeRADIUS authentication logs are not enabled. On DB, user "anonymous" do not exist. The wireless system is configured to authenticate only with FreeRADIUS server. Changing Calling-Station-Id on radius db prevents this system from connecting. I'm wondering how this is possible and where to check what is causing this. Thanks,
On Oct 18, 2024, at 7:29 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm having a strange problem, for one specific user, wireless system dashboard and radius accounting db show connected username as "anonymous".
That is the User-Name in the RADIUS packets.
User credentials are stored in database and Calling-Station-Id is used to prevent unauthorized devices from connecting. FreeRADIUS authentication logs are not enabled.
You're likely using PEAP / TTLS, and authenticating the user via the *inner* User-Name. Read the debug logs to see more.
On DB, user "anonymous" do not exist. The wireless system is configured to authenticate only with FreeRADIUS server. Changing Calling-Station-Id on radius db prevents this system from connecting.
I'm wondering how this is possible and where to check what is causing this.
It's how the protocols work. You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui Alan DeKok.
Many thanks, Running debug is not possible as this user "anonymous" connect to wireless randomly in a remote office. I have enabled following in, default & inner-tunnel, But specific user still showing as anonymous. Am i missing any config part ?. Should i modify policy.d/filter to prevent users loggin in as "anonymous" as this only occur for only one user and still don't know how or what is causing this . ******************************** 1, sites-enabled/default authorize { filter-username } 2, sites-enabled/inner-tunnel authorize { filter_username filter_inner_identity } post-auth { reply_log } ******************************** ~# cat /var/log/freeradius/radius.log | grep anon Wed Oct 23 10:13:15 2024 : Auth: (4568) Login OK: [anonymous/<via Auth-Type = eap>] (from client Aruba Cluster port 0 cli <mac-address>) WHERE (radpostauth.username LIKE 'anon%%') AND (authdate >='2024-01-01' AND authdate <='2024-10-31') ~# ******************************** ~# cat /var/log/freeradius/radius.log | grep <username_removed> Wed Oct 23 10:13:15 2024 : Auth: (4567) Login OK: [username_removed/<via Auth-Type = eap>] (from client Aruba Cluster port 0 cli <mac-address> via TLS tunnel) ~# ******************************** Thanks, On Friday 18 October, 2024 at 05:36:21 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Oct 18, 2024, at 7:29 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I'm having a strange problem, for one specific user, wireless system dashboard and radius accounting db show connected username as "anonymous".
That is the User-Name in the RADIUS packets.
User credentials are stored in database and Calling-Station-Id is used to prevent unauthorized devices from connecting. FreeRADIUS authentication logs are not enabled.
You're likely using PEAP / TTLS, and authenticating the user via the *inner* User-Name. Read the debug logs to see more.
On DB, user "anonymous" do not exist. The wireless system is configured to authenticate only with FreeRADIUS server. Changing Calling-Station-Id on radius db prevents this system from connecting.
I'm wondering how this is possible and where to check what is causing this.
It's how the protocols work. You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui Alan DeKok.
On Oct 23, 2024, at 1:03 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Running debug is not possible as this user "anonymous" connect to wireless randomly in a remote office.
The RADIUS server is in a remote office? Just connect to it via SSH or a VPN.
I have enabled following in, default & inner-tunnel, But specific user still showing as anonymous. Am i missing any config part ?. Should i modify policy.d/filter to prevent users loggin in as "anonymous" as this only occur for only one user and still don't know how or what is causing this .
I explained why it happens, and what you can do to fix it. There's really little more I can say. And there's no excuse for saying you don't know how it's happening. Alan DeKok.
The RADIUS server is in a remote office? Just connect to it via SSH or a VPN.
User in remote office, only connects wireless in meeting room with customers. User is rarely in office, hence i can't run in debug mode for indefinite period of time.
I explained why it happens, and what you can do to fix it.
You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui
Above is the only hint you have given. Now, I'm not clear what you meant by "You will need to log the inner User-Name for the authentication session". Thanks, On Wednesday 23 October, 2024 at 05:29:41 pm IST, Alan DeKok <aland@deployingradius.com> wrote: On Oct 23, 2024, at 1:03 AM, Eby Mani via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Running debug is not possible as this user "anonymous" connect to wireless randomly in a remote office.
The RADIUS server is in a remote office? Just connect to it via SSH or a VPN.
I have enabled following in, default & inner-tunnel, But specific user still showing as anonymous. Am i missing any config part ?. Should i modify policy.d/filter to prevent users loggin in as "anonymous" as this only occur for only one user and still don't know how or what is causing this .
I explained why it happens, and what you can do to fix it. There's really little more I can say. And there's no excuse for saying you don't know how it's happening. Alan DeKok.
On Oct 23, 2024, at 9:26 AM, Eby Mani <eby_km@yahoo.com> wrote:
User in remote office, only connects wireless in meeting room with customers. User is rarely in office, hence i can't run in debug mode for indefinite period of time.
See raddebug. It's possible to turn on debug mode temporarily. But it's not really needed.
I explained why it happens, and what you can do to fix it.
You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui
Above is the only hint you have given.
I mentioned PEAP / TTLS. They're authentication protocols which have an "outer" and "inner' identity. Go read up on how PEAP and TTLS work. e.g. Wikipedia, or other places. This is all explained. The "outer" identity here is "anonymous". The "inner" identity contains the real user name,
Now, I'm not clear what you meant by "You will need to log the inner User-Name for the authentication session".
Edit sites-enabled/inner-tunnel. Change it to log the User-Name. You should set up a test RADIUS server. They're free. Then, use eapol_test to run tests. See src/tests/eap-ttls-pap.conf You can see how things work in a test environment. Alan DeKok.
On Wed, 23 Oct 2024, Eby Mani via Freeradius-Users wrote:
User in remote office, only connects wireless in meeting room with customers. User is rarely in office, hence i can't run in debug mode for indefinite period of time.
I explained why it happens, and what you can do to fix it.
You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui
Above is the only hint you have given. Now, I'm not clear what you meant by "You will need to log the inner User-Name for the authentication session".
Eby, Do this: 1) get a laptop with WiFi and abilty to boot from a USB stick. 2) Create a bootable USB stick from a Linux distro that you can handle, for example Ubuntu, see: https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started 3) boot Linux on the laptop from the USB stick. 4) open the system network configuration menu and activate 802.1x security. 5) select a TLS protected auth mode (EG: Tunneled TLS or Protected EAP) that you have working in your AP+Radius infrastructure. 6) Note that in the menu that opens up you have two different places to enter identity info, the outer ('Anonymous') id and the inner ID. set the outer outer ID to some generic name that you can recognise but does not correspond to any valid user name on your system. Set the inner ID to your personal appropriate creds. 7) hit apply and then try a connection. 8) run your Radius server in debug mode and test again, watch for both the generic name and your personal ID to show up in the debugging log. 9) you can see that the 'anonymous' ID is in the outer "wrapper" but it's actually using your creds to authenticate. Now adjust your Radius config as Alan has suggested to make your logging sysetm record not the outer ID but the inner personal ID. Have fun, Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
Thanks David, I assume Alan is suggesting to adjust as per "https://wiki.freeradius.org/guide/eduroam-logging#recording-the-inner-user-n...". Existing RADIUS server is configured to send User-Group to Network firewall using "sites-enabled/copy-acct-to-home-server" for RSSO based access. One question, Do we leave the original post-auth { } settings in sites-enabled/inner-tunnel ?. And add as per "recording-the-inner-user-name" on RADIUS server to send User-Group info to home accounting server ?. ***************** original settings ***************** post-auth { .... update { &outer.session-state: += &reply: } .... Post-Auth-Type REJECT { .... update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } ********************************** Thanks, On Thursday 24 October, 2024 at 11:08:48 am IST, David B Funk <dbfunk@engineering.uiowa.edu> wrote: On Wed, 23 Oct 2024, Eby Mani via Freeradius-Users wrote:
User in remote office, only connects wireless in meeting room with customers. User is rarely in office, hence i can't run in debug mode for indefinite period of time.
I explained why it happens, and what you can do to fix it.
You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui
Above is the only hint you have given. Now, I'm not clear what you meant by "You will need to log the inner User-Name for the authentication session".
Eby, Do this: 1) get a laptop with WiFi and abilty to boot from a USB stick. 2) Create a bootable USB stick from a Linux distro that you can handle, for example Ubuntu, see: https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started 3) boot Linux on the laptop from the USB stick. 4) open the system network configuration menu and activate 802.1x security. 5) select a TLS protected auth mode (EG: Tunneled TLS or Protected EAP) that you have working in your AP+Radius infrastructure. 6) Note that in the menu that opens up you have two different places to enter identity info, the outer ('Anonymous') id and the inner ID. set the outer outer ID to some generic name that you can recognise but does not correspond to any valid user name on your system. Set the inner ID to your personal appropriate creds. 7) hit apply and then try a connection. 8) run your Radius server in debug mode and test again, watch for both the generic name and your personal ID to show up in the debugging log. 9) you can see that the 'anonymous' ID is in the outer "wrapper" but it's actually using your creds to authenticate. Now adjust your Radius config as Alan has suggested to make your logging sysetm record not the outer ID but the inner personal ID. Have fun, Dave -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
participants (3)
-
Alan DeKok -
David B Funk -
Eby Mani