Hi all, I have 2.1.6 and things basically work. But I just came across a question about the processing of outer/inner identity: As I understand it, in case of a non-EAP RADIUS request (eg from my old modem servers), there is no tunnel and hence no inner identity. ==> Autz and Auth are done by the default virtual server and governed by the settings in radiusd.conf and sites-available/default -- right? In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer identity is simply used as a dummy during Tunnel setup (Our EAP Clients use anonymous@uni-marburg.de as outer identity). Nonetheless, freeradius does an LDAP request during Authorization which, of course, fails with 'notfound'. freeradius then happily proceeds to do the real authentication with inner-tunnel. Now I wonder how to avoid that extra LDAP query. Here's my config (ldap123 refers to a virtual module doing redundant-load-balance with 3 LDAP servers): default: authorize { preprocess chap mschap suffix eap { ok = return } unix files ldap123 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap Auth-Type LDAP { ldap123 } } inner-tunnel: authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap123 expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap123 } eap } And here is the (hopefully) relevant part of the output of freeradius -X: radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.75.246 port 1645, id=68, length=166 User-Name = "anonymous@uni-marburg.de" Framed-MTU = 1400 Called-Station-Id = "0013.8011.a1e0" Calling-Station-Id = "001b.7720.e19d" Service-Type = Login-User Message-Authenticator = 0xc8c71b2e61687810d83b54a62fbc0150 EAP-Message = 0x0202001d01616e6f6e796d6f757340756e692d6d6172627572672e6465 NAS-Port-Type = Wireless-802.11 NAS-Port = 14662 NAS-IP-Address = 192.168.75.246 NAS-Identifier = "warz004" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "uni-marburg.de" for User-Name = "anonymous@uni-marburg.de" [suffix] Found realm "uni-marburg.de" [suffix] Adding Stripped-User-Name = "anonymous" [suffix] Adding Realm = "uni-marburg.de" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> anonymous@uni-marburg.de ++[files] returns ok ++- entering policy ldap123 {...} +++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] performing user authorization for anonymous [ldap3] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap3] expand: (&(uid:caseExactMatch:=%{Stripped-User-Name:-%{User-Name}}) (!(UniMrDarfRadius=0))) -> (&(uid:caseExactMatch:=anony mous) (!(UniMrDarfRadius=0))) [ldap3] expand: ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE -> ou=people,ou=Students,ou=Accounts,o=Universitaet M arburg,c=DE rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to auth3.students.uni-marburg.de:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/ssl/certs/deutsche-telekom-root-ca-2.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as uid=radius,ou=Proxy,o=Universitaet Marburg,c=DE/JhkG0iH to auth3.students.uni-marburg.de:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE, with filter (&(uid:caseExactMatch:=anonymous) (!(UniMrDarfRadius=0))) rlm_ldap: object not found [ldap3] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++++[ldap3] returns notfound +++- redundant-load-balance group redundant-load-balance returns notfound ++- policy ldap123 returns notfound ++[expiration] returns noop ++[logintime] returns noop Thanks for any help Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Martin Pauly wrote:
I have 2.1.6 and things basically work. But I just came across a question about the processing of outer/inner identity:
As I understand it, in case of a non-EAP RADIUS request (eg from my old modem servers), there is no tunnel and hence no inner identity. ==> Autz and Auth are done by the default virtual server and governed by the settings in radiusd.conf and sites-available/default -- right?
Yes.
In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer identity is simply used as a dummy during Tunnel setup (Our EAP Clients use anonymous@uni-marburg.de as outer identity).
Yes.
Nonetheless, freeradius does an LDAP request during Authorization which, of course, fails with 'notfound'.
Because that's what you configured...
freeradius then happily proceeds to do the real authentication with inner-tunnel. Now I wonder how to avoid that extra LDAP query.
$ man unlang There's an entire policy language to define rules. Replace the "ldap123" line in the "authorize" seciton with: if (!EAP-Message) { ldap123 } Alan DeKok.
Hi Alan,
Replace the "ldap123" line in the "authorize" seciton with:
if (!EAP-Message) { ldap123 }
works great and is logical indeed -- thanks! Just for myself and others try to learn from examples: I had thought that eap { ok = return } would already do the trick when placed above ldap. But actually, we have ++[eap] returns noop in case of a non-EAP request -- not 'ok'. The above statement catches up, only if there _is_ an EAP request, but no need to bother LDAP yet (ie during tunnel setup as the comment suggests). o.k. here's freeradius' output w/o EAP: [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> Pauly ++[files] returns ok ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> TRUE ++? if (!EAP-Message) -> TRUE ++- entering if (!EAP-Message) {...} +++- entering policy ldap123 {...} ++++- entering redundant-load-balance group redundant-load-balance {...} [ldap1] performing user authorization for Pauly ... and with EAP: [files] users: Matched entry DEFAULT at line 30 [files] expand: %{User-Name} -> Pauly ++[files] returns ok ++? if (!EAP-Message) ? Evaluating !(EAP-Message) -> FALSE ++? if (!EAP-Message) -> FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Hi,
I have 2.1.6 and things basically work. But I just came across a question about the processing of outer/inner identity:
As I understand it, in case of a non-EAP RADIUS request (eg from my old modem servers), there is no tunnel and hence no inner identity. ==> Autz and Auth are done by the default virtual server and governed by the settings in radiusd.conf and sites-available/default -- right?
In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer identity is simply used as a dummy during Tunnel setup (Our EAP Clients use anonymous@uni-marburg.de as outer identity). Nonetheless, freeradius does an LDAP request during Authorization which, of course, fails with 'notfound'. freeradius then happily proceeds to do the real authentication with inner-tunnel. Now I wonder how to avoid that extra LDAP query.
Here's my config (ldap123 refers to a virtual module doing redundant-load-balance with 3 LDAP servers):
somthing in your users file is matching and enforcing LDAP ;-) alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Martin Pauly