EAP tunnel username problem
Hi all, We're running freeRADIUS 3.0.21 for 802.1x authentication. It works all the time. However, we note that occasionally in log entries for successful login, the username logged by default site is different from the real username,e.g. 1. Username changed to "user" while domain part remains unchanged: Wed Mar 22 17:28:20 2023 : Auth: (23249490) Login OK: [skywalker@mydomain.hk] (from client ctrl01 port 0 via TLS tunnel) Wed Mar 22 17:28:20 2023 : Auth: (23249491) Login OK: [user@mydomain.hk] (from client ctrl01 port 0 cli 67A2ED8ECBAF) 1. First character in username is stripped: Wed Mar 22 15:39:12 2023 : Auth: (23080299) Login OK: [s1234567890@mydomain.hk] (from client ctrl01 port 0 via TLS tunnel) Wed Mar 22 15:39:12 2023 : Auth: (23080300) Login OK: [1234567890@mydomain.hk] (from client ctrl01 port 0 cli 73D2ED9CABEB) I've no idea as over 99% of the logs look good. Would anyone please help? Thanks a lot. Best Rgds /st wong
On Mar 28, 2023, at 4:45 PM, ST Wong (ITSC) <ST@itsc.cuhk.edu.hk> wrote:
We're running freeRADIUS 3.0.21 for 802.1x authentication. It works all the time. However, we note that occasionally in log entries for successful login, the username logged by default site is different from the real username,e.g.
1. Username changed to "user" while domain part remains unchanged:
Wed Mar 22 17:28:20 2023 : Auth: (23249490) Login OK: [skywalker@mydomain.hk] (from client ctrl01 port 0 via TLS tunnel) Wed Mar 22 17:28:20 2023 : Auth: (23249491) Login OK: [user@mydomain.hk] (from client ctrl01 port 0 cli 67A2ED8ECBAF)
Read the debug log to see what the server is doing. Nothing in in the default configuration does these kinds of edits. Alan DeKok.
Seems someone crafted the outer identity to some value different from the inner identity in the EAP client... Thanks. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+st=itsc.cuhk.edu.hk@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Tuesday, March 28, 2023 4:01 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: EAP tunnel username problem On Mar 28, 2023, at 4:45 PM, ST Wong (ITSC) <ST@itsc.cuhk.edu.hk> wrote:
We're running freeRADIUS 3.0.21 for 802.1x authentication. It works all the time. However, we note that occasionally in log entries for successful login, the username logged by default site is different from the real username,e.g.
1. Username changed to "user" while domain part remains unchanged:
Wed Mar 22 17:28:20 2023 : Auth: (23249490) Login OK: [skywalker@mydomain.hk] (from client ctrl01 port 0 via TLS tunnel) Wed Mar 22 17:28:20 2023 : Auth: (23249491) Login OK: [user@mydomain.hk] (from client ctrl01 port 0 cli 67A2ED8ECBAF)
Read the debug log to see what the server is doing. Nothing in in the default configuration does these kinds of edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
ST Wong (ITSC)