Tunneled-User-Name
Hi, I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server? Now I can only get the User-Name used for the outer authentication (ex: anonymous). Best Regards Champika
d.thembiliyagoda@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server?
It's available in the "inner-tunnel" virtual server.
Now I can only get the User-Name used for the outer authentication (ex: anonymous).
Because you're editing the "default" virtual server. Alan DeKok.
Thank you very much. Regards Champika On Mon, 11 July, 2011 4:06 pm, Alan DeKok wrote:
d.thembiliyagoda@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server?
It's available in the "inner-tunnel" virtual server.
Now I can only get the User-Name used for the outer authentication (ex: anonymous).
Because you're editing the "default" virtual server.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d.thembiliyagoda@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server? Now I can only get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a double-inner in play. The best suggestion I have (after years of tweaking it to be just right) is in your inner authorize use: ---- authorize { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" } [snipped] update reply { Auth-Type := "%{control:Auth-Type}" } } ---- On the outer layer, you then use '%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This means you get the inner username for: * PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications * when your inner server rejects the request (ie. bad password) (this is why you stuff the inner username into outer.request * TTLS/PEAP has the option of TLS cached sessions which is *good*, doing things this way means you still get the inner name for resumed sessions As a bonus, the Auth-Type is extractable..if you use TLS cached sessions, then this will be EAP. Cheers -- Alexander Clouter .sigmonster says: It was Penguin lust... at its ugliest.
Hi , Thank you very much for the example. its working. Regards Champika On Mon, 11 July, 2011 4:24 pm, Alexander Clouter wrote:
d.thembiliyagoda@lancaster.ac.uk wrote:
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server? Now I can only get the User-Name used for the outer authentication (ex: anonymous).
PAP is easy, but MSCHAPv2 is typically EAP-MSCHAPv2 so you have a double-inner in play. The best suggestion I have (after years of tweaking it to be just right) is in your inner authorize use: ---- authorize { update outer.request { User-Name := "%{request:User-Name}" } update reply { User-Name := "%{request:User-Name}" }
[snipped]
update reply { Auth-Type := "%{control:Auth-Type}" } } ----
On the outer layer, you then use '%{%{reply:User-Name}:-%{request:User-Name}}' to get the username. This means you get the inner username for: * PAP, MSCHAPv2 and EAP-MSCHAPv2 authentications * when your inner server rejects the request (ie. bad password) (this is why you stuff the inner username into outer.request * TTLS/PEAP has the option of TLS cached sessions which is *good*, doing things this way means you still get the inner name for resumed sessions
As a bonus, the Auth-Type is extractable..if you use TLS cached sessions, then this will be EAP.
Cheers
-- Alexander Clouter .sigmonster says: It was Penguin lust... at its ugliest.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I edit the inner-tunnel virtual server configuration file and uncomment the example policy under "post-auth" section. update outer.reply { User-Name := "%{request:User-Name}" } But in Access-Accept still the User-Name is "anonymous". Here is the debug output of the FreeRadius # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Info: +- entering group post-auth {...} Info: expand: %{request:User-Name} -> bob Info: ++[outer.reply] returns noop } # server inner-tunnel Then I enabled the use_tunneled_reply = yes ,in eap.conf. Even after that I can't see the User-Name attribute has modified in Access-Accept. Regards Champika On Mon, 11 July, 2011 3:57 pm, thembili@unix.lancs.ac.uk wrote:
Hi,
I am using EAP-TTLS and MSCHAPv2 to authenticate with FreeRadius server.How can I get the tunnelled User-Name (User-Name used in inner authentication phase) using unlang in FreeRADIUS server? Now I can only get the User-Name used for the outer authentication (ex: anonymous).
Best Regards Champika
d.thembiliyagoda@lancaster.ac.uk wrote:
I edit the inner-tunnel virtual server configuration file and uncomment the example policy under "post-auth" section.
update outer.reply { User-Name := "%{request:User-Name}" }
That's not the example I gave...what does trying my example give you?
But in Access-Accept still the User-Name is "anonymous". Here is the debug output of the FreeRadius
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel Info: +- entering group post-auth {...} Info: expand: %{request:User-Name} -> bob Info: ++[outer.reply] returns noop } # server inner-tunnel
Probably as you are using EAP-MSCHAPv2 which in effect gives you an inner-inner-tunnel.
Then I enabled the use_tunneled_reply = yes ,in eap.conf. Even after that I can't see the User-Name attribute has modified in Access-Accept.
Well, when you do get it working, remember to trim it for eduroam replies bound for JANET's JRS's; the username should only go to your *own* NAS's and not the national proxies. Cheers -- Alexander Clouter .sigmonster says: HOLY MACRO!
participants (3)
-
Alan DeKok -
Alexander Clouter -
d.thembiliyagoda@lancaster.ac.uk