EAP Outer and Inner Tunnel Behaviour Discussion
Hi all, We are going to proxy EAP to another site with all freeradius (we are using 2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows: Our site only accept non “@domain” format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius). But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using “@domain” to pass the EAP/mschapv2 authentication with “stripped-user-name”, I’m not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication, and then I try to remove the “suffix from inner EAP user name“ or change the “outer user name” in client EAP supplicant (in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel? And how can remove the suffix in inner EAP tunnel while authentication? Or all account have suffix in another site DB. -- View this message in context: http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp2290... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Jacky Chan wrote:
We are going to proxy EAP to another site with all freeradius (we are using 2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows:
Our site only accept non “@domain” format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius).
This has NO effect on proxying.
But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using “@domain” to pass the EAP/mschapv2 authentication with “stripped-user-name”, I’m not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication, and then I try to remove the “suffix from inner EAP user name“ or change the “outer user name” in client EAP supplicant (in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel?
That doesn't make a lot of sense to me. You will need to proxy the OUTER eap session to the other server. Do NOT proxy the inner EAP session.
And how can remove the suffix in inner EAP tunnel while authentication? Or all account have suffix in another site DB.
Don't touch the inner EAP tunnel when you are proxying. Alan DeKok.
We are going to proxy EAP to another site with all freeradius (we are using 2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows:
Our site only accept non @domain format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius).
But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using @domain to pass the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication,
That's fine.
and then I try to remove the suffix from inner EAP user name or change the outer user name in client EAP supplicant
And why would you want to do a thing like that? Just leave it alone.
(in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel?
Why do you care what is stored on their database? It's none of your concern. You just proxy unaltered usernames to them.
And how can remove the suffix in inner EAP tunnel while authentication?
By using suffix module in freeradius (enabled by default). You just configure aaa.net as a local realm in proxy.conf.
Or all account have suffix in another site DB.
That is also possible. Ivan Kalik Kalik Informatika ISP
tnt-4 wrote:
We are going to proxy EAP to another site with all freeradius (we are
using
2.1.4, another site using 1.x), but there are some interest problems occurred, details are as follows:
Our site only accept non @domain format for inner EAP tunnel authentication since user DB only store user name without suffix, (as I previous post, replier said that cannot change the EAP user name by terminal home server even using unlang or strip on proxy.conf, so I give up to chanage the inner EAP user name in our terminal home radius).
But the administrator of another site which connect with us said that their user name store in file/DB also non suffix but can using @domain to pass the EAP/mschapv2 authentication with stripped-user-name, I'm not sure how and why, but after testing, I can using anonymous@aaa.net as user name of outer EAP tunnel and user1@aaa.net as user name of inner EAP tunnel to pass the authentication,
That's fine.
and then I try to remove the suffix from inner EAP user name or change the outer user name in client EAP supplicant
And why would you want to do a thing like that? Just leave it alone.
No, I just want to let our user using an anonymous account as the outer user name for authentication to improve the security, and using the true account for inner tunnel.
(in our site change outer user name is accept, you can use any outer user name since proxy server only care suffix) , it get fail, so do you think that how about the user name actually store in another site DB, is it without suffix or with it? But if it is all without suffix, why I cannot login with non suffix user name of inner EAP tunnel?
Why do you care what is stored on their database? It's none of your concern. You just proxy unaltered usernames to them. Because the administrator said that their user name all without suffix, so I want to setup a similar home radius to do the authentication without suffix user name (testing 3 show as below). but I got fail since if all accounts stored in file/DB without suffix just like user1, I can not pass the authentication with user1@aaa.net in inner tunnel because I don't know (or it is impossible) how to remove the suffix before do the authentication. I guess may be they also stored with suffix user name in their DB/File
And how can remove the suffix in inner EAP tunnel while authentication?
By using suffix module in freeradius (enabled by default). You just configure aaa.net as a local realm in proxy.conf. You means that add a realm in proxy.conf of PROXY server OR in home terminal radius server? as following configuration, it seems should be apply on home radius server, right? realm aaa.net { auth_pool = localhost # nostrip (enable or not?) } The following is the result by my testing for outer tunnel and inner tunnel authentication with my proxy and home radius server, I'm using SecureW2_EAP_Suite_113 with PEAP/MSChapV2: (1) user name which stored in home radius file: user2@aaa.net outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2@aaa.net result: passed (2) user name which stored in home radius file: user2@aaa.net outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2 result: failed (3) user name which stored in home radius file: user2 outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2@aaa.net result: failed (4) user name which stored in home radius file: user2 outer tunnel name: anybody@aaa.net OR @aaa.net OR anonymous@aaa.net Inner tunnel name: user2 result: passed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/EAP-Outer-and-Inner-Tunnel-Behaviour-Discussion-tp2290... Sent from the FreeRadius - User mailing list archive at Nabble.com.
No, I just want to let our user using an anonymous account as the outer user name for authentication to improve the security, and using the true account for inner tunnel.
It's a supplicant setting. Nothing to do with radius server.
Because the administrator said that their user name all without suffix, so I want to setup a similar home radius to do the authentication without suffix user name (testing 3 show as below). but I got fail since if all accounts stored in file/DB without suffix just like user1, I can not pass the authentication with user1@aaa.net in inner tunnel because I don't know (or it is impossible)
It is impossible. You either proxy that realm or you authenticate it locally. How is the server supposed to know which ones to proxy and which ones to check locally?
You means that add a realm in proxy.conf of PROXY server OR in home terminal radius server?
Proxy server *is*the home server when authenticating local accounts. Or do you have another home server for such accounts? Apart from the one you proxy to for someone else. Ivan Kalik Kalik Informatika ISP
participants (3)
-
Alan DeKok -
Jacky Chan -
tnt@kalik.net