Trying not to send outer identity in the Access-Accept message
Dear Sir or Madam. Currently, we are running Freeradius 3.0.11. It works correctly with our wireless controler, but when we upgrade the firmware of our wireless controlles, the users are not able to stablish sesión anymore. The problem is that the freeradius is sending two User-Name values in the Access-Accept packet (the inner and the outer identity), and the Wireless controler detects two values and drops the packet. The authentication is correct, but the Wireless controller does not stablish the user sesión. Besides, as the Freeradius sends both identities, sometimes the accountings shows the outer identity, not the inner one. ¿Is there any way to send only the inner identity in the Access-Accept packet? (6) Login OK: [pruebas.wifi@uah.es] (from client WLAN-1 port 0 cli B49D0B8C389F via TLS tunnel) (6) } # server inner (6) Virtual server sending reply (6) User-Name = "pruebas.wifi@uah.es" (6) Class = 0x414c554d4e4f53 (6) Filter-Id = "ALUMNOS" (6) eap_ttls: Got tunneled Access-Accept (6) eap: Sending EAP Success (code 3) ID 8 length 4 (6) eap: Freeing handler (6) [eap] = ok (6) } # authenticate = ok (6) Login OK: [anonymous@uah.es] (from client WLAN-1 port 0 cli B49D0B8C389F) (6) Sent Access-Accept Id 56 from 192.168.153.175:1812 to 172.17.47.240:37462 length 0 (6) User-Name = "anonymous@uah.es" (6) User-Name = "pruebas.wifi@uah.es" (6) Class = 0x414c554d4e4f53 (6) Filter-Id = "ALUMNOS" (6) MS-MPPE-Recv-Key = 0x567a04806953128ea5aadb908f6728a6753794d66a6ec189964c4f2e54cfb15b (6) MS-MPPE-Send-Key = 0x068df56d4605c2a4b62e8f4eee3fdb12031bdebf9eaa4201d6d08b310246d6d4 (6) EAP-Message = 0x03080004 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) Finished request Best regards. Mª Isabel Torres López Comunicaciones - Servicios Informáticos Universidad de Alcalá Correo: Isabel.torres@uah.es<mailto:Isabel.torres@uah.es> Telefono: 918856458
On Dec 11, 2019, at 11:12 AM, Torres López María Isabel <isabel.torres@uah.es> wrote:
Currently, we are running Freeradius 3.0.11.
3.0.20 is the newest release. It has some changes to the policies which affect the outer identity in the Access-Accept.
It works correctly with our wireless controler, but when we upgrade the firmware of our wireless controlles, the users are not able to stablish sesión anymore. The problem is that the freeradius is sending two User-Name values in the Access-Accept packet (the inner and the outer identity), and the Wireless controler detects two values and drops the packet. The authentication is correct, but the Wireless controller does not stablish the user sesión. Besides, as the Freeradius sends both identities, sometimes the accountings shows the outer identity, not the inner one. ¿Is there any way to send only the inner identity in the Access-Accept packet?
Upgrade to 3.0.20, and see the new policies in sites-available/default: # If both session-state and reply contain a User-Name attribute, remove # the one in the reply if it is just a copy of the one in the request, so # we don't end up with two User-Name attributes. if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } You may also be able to edit the policies in 3.0.11 to copy the above. See the "default" virtual server for more details. Alan DeKok.
participants (2)
-
Alan DeKok -
Torres López María Isabel