Authorize/authenticate with LDAP
Hello, I have a small problem a little bit annoying, and it seems to me that a lot of people using LDAP don't know that they have the same problem. I explain : I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: authorize { preprocess suffix eap files Autz-Type LDAP { ldap } } authenticate { Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { ldap } eap } It is working. I am not sure it is the minimal configuration, but I don't care too much. My problem is the following: in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile. I can partially solve the problem using : Autz-Type LDAP { ldap{ notfound = reject } } Then, the roaming profile must be a valid LDAP name. But I still can use an arbitrary valid LDAP name. In fact, the most important thing to me is that the accounting, and session logger use the good name. Is it a solution to my problem ? Thx, -- Thierry CHICH Equipe Réseaux / Rectorat de Clermont-Ferrand Tel: +33 4 73 99 30 54
Thierry CHICH wrote:
I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that: ... in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile.
Yes. The outer identity is often "anonymous", and does not matter for authentication. If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity. Alan DeKok.
Le mercredi 16 janvier 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that:
...
in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile.
Yes. The outer identity is often "anonymous", and does not matter for authentication.
If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity.
Thanks for your answer. I am happy to see that it is not totally weird. But what can I do in order to "set the User-Name in the Access-Accept" ? When I watch the logs, I see the following events First, all is going well : rlm_ldap: user GOOD.NAME authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 radius_xlat: 'GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' TTLS: Got tunneled reply RADIUS code 2 Reply-Message = "GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6 But after that good beginning, I come back to the FAKE.NAME I have written as my outer identity : radius_xlat: 'FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' Sending Access-Accept of id 13 to 172.30.87.66 port 3689 Reply-Message = "FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" MS-MPPE-Recv-Key = 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633 MS-MPPE-Send-Key = 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "FAKE.NAME"
Thierry CHICH wrote:
Le mercredi 16 janvier 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that:
...
in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile.
Yes. The outer identity is often "anonymous", and does not matter for authentication.
If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity.
Thanks for your answer. I am happy to see that it is not totally weird.
But what can I do in order to "set the User-Name in the Access-Accept" ?
When I watch the logs, I see the following events
First, all is going well :
rlm_ldap: user GOOD.NAME authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 radius_xlat: 'GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' TTLS: Got tunneled reply RADIUS code 2 Reply-Message = "GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6
But after that good beginning, I come back to the FAKE.NAME I have written as my outer identity :
radius_xlat: 'FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' Sending Access-Accept of id 13 to 172.30.87.66 port 3689 Reply-Message = "FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" MS-MPPE-Recv-Key = 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633 MS-MPPE-Send-Key = 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "FAKE.NAME"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What version of FR are you running ? -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Le mercredi 16 janvier 2008, Arran Cudbard-Bell a écrit :
Thierry CHICH wrote:
Le mercredi 16 janvier 2008, Alan DeKok a écrit :
Thierry CHICH wrote:
I have an access-point, and I want use EAP/TTLS in order to authenticate people on my LDAP server. The first time, I had then something like that:
...
in my intel proset, if I am giving a false identity in my roaming profile with a good identity and a good password, it is working. The authorization step doesn't work as I want. The most important problem is that the accounting is using my roaming profile.
Yes. The outer identity is often "anonymous", and does not matter for authentication.
If you set the User-Name in the Access-Accept, the NAS *should* use that name for accounting, and not the name from the outer identity.
Thanks for your answer. I am happy to see that it is not totally weird.
But what can I do in order to "set the User-Name in the Access-Accept" ?
When I watch the logs, I see the following events
First, all is going well :
rlm_ldap: user GOOD.NAME authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 6 modcall: leaving group LDAP (returns ok) for request 6 radius_xlat: 'GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' TTLS: Got tunneled reply RADIUS code 2 Reply-Message = "GOOD.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6
But after that good beginning, I come back to the FAKE.NAME I have written as my outer identity :
radius_xlat: 'FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand' Sending Access-Accept of id 13 to 172.30.87.66 port 3689 Reply-Message = "FAKE.NAME@ac-clermont.fr vous allez acceder en INTERNE au Rectorat de Clermont-Ferrand" MS-MPPE-Recv-Key = 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633 MS-MPPE-Send-Key = 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "FAKE.NAME"
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What version of FR are you running ?
freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ?
Thierry CHICH wrote:
freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ?
In 1.1.x you can set the User-Name inside of the tunnel, and then set "use_tunneled_reply = yes" in the EAP config. This will use that User-Name in the Access-Accept. In 2.0, you can just write logic that runs only in the inner tunnel, and sets the outer tunnel user name directly. Alan DeKok.
Hi,
Thierry CHICH wrote:
freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the version 1.1.6 ! Is it possible it change the beahvior if I upgrade ?
In 1.1.x you can set the User-Name inside of the tunnel, and then set "use_tunneled_reply = yes" in the EAP config. This will use that User-Name in the Access-Accept.
In 2.0, you can just write logic that runs only in the inner tunnel, and sets the outer tunnel user name directly.
both covered a couple of times in the mailing list archive. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Thierry CHICH