PEAP-MSCHAPv2 and anonymous outer identity - can't understand passing inner username to outer tunnel
Hi all, I’ve got FreeRADIUS handling our “eduroam” needs at my university. Users from outside our realms are proxied to the national eduroam proxies, and users matching our realms are handled locally: -Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active Directory domain controllers -Post-Auth in outer server file: for users of our own realm and on our own campus’s network, I use a few “if” statements (one based on a username pattern, another based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the access point. This works wonderfully when using the same inner and outer identity, but after I set up anonymous outer identities on my clients, the VLAN ID assignment in the post-auth section doesn’t work properly, as it uses the outer identity “anonymous” instead of the username from the inner tunnel. I’ve spent about a day and a half working on this, going through old mailing list posts and the documentation, inserting and removing sections, with no progress being made. It’s clear that I’ve missed some piece of information or misunderstood a critical concept, regarding how to pass the inner identity (hopefully both User-Name and Stripped-User-Name) to the outer post-auth section. (I don’t need the actual Access-Accept message to contain the inner identity, I just need to be able to use it for the VLAN assignment.) I thought that the “copy_request_to_tunnel” and “use_tunneled_reply” would update at least the User-Name attribute (though not the Stripped-User-Name attribute of the outer tunnel), but even my first “if” statement in my outer-tunnel post-auth section, which uses the User-Name attribute, always receives “anonymous” as the User-Name attribute. I also tried making a dictionary Attribute for local use (ID between 3000 and 4000, type string), along the lines of “Username-to-use-for-VLAN-assignment”, and having it be set in the inner-tunnel server and accessible to the outer-tunnel server, but I think I’ve misunderstood how this works. Given the trouble I’m having, I think I’ve missed something that should have been obvious (with more sleep? or more coffee?) and would really appreciate any pointers that might come to mind! I’ve included below: —outer-tunnel configuration —inner-tunnel configuration —eap module configuration Does anyone have any advice on what I might have missed, or where to look? Happy to provide a debug. Apologies for anything incomprehensible in the configs… they are put together from a number of different tutorials from GEANT and other online resources, and I am relatively new to RADIUS. Best, Samuel server eduroam { listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } authorize { if ("%{client:shortname}" !~ /rad[1-2]\.eduroam\.fr/) { update request { Operator-Name := "1MYDOMAIN.FR" } } auth_log suffix if (Realm == "NULL") { update request { &Module-Failure-Message += 'Rejected: Realm is NULL' } reject } eap } authenticate { # Uniquement le module eap eap } preacct { suffix } accounting { } post-auth { if ("%{client:shortname}" == "campus-wifi") { update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-ID := 6 # Unless a user-group check below indicates a different VLAN, user will get VLAN 6, the guest VLAN. } if (Realm == "MYDOMAIN.FR") || (Realm == "SECONDARYDOMAIN.FR") { if (&User-Name =~ /[aA][1234567890][1234567890]*/) { # for User-Name starting with a[1-9].... update reply { Tunnel-Private-Group-ID := 17 # Set to student VLAN. } } elsif (LDAP-Group == "CN=Employees,OU=Groups,DC=mydomain,DC=local") { # For staff and faculty... update reply { Tunnel-Private-Group-ID := 15 # Set to staff VLAN } } else { update reply { Tunnel-Private-Group-ID := 6 # For all users not covered above, set to guest VLAN } } } } reply_log Post-Auth-Type REJECT { reply_log } } pre-proxy { pre_proxy_log if("%{Packet-Type}" != "Accounting-Request") { attr_filter.pre-proxy } } post-proxy { post_proxy_log attr_filter.post-proxy } } server eduroam-inner-tunnel { authorize { auth_log files # for the eduroam test account eap mschap pap } authenticate { Auth-Type ntlm_auth { ntlm_auth } Auth-Type PAP { pap } Auth-Type MS-CHAP { mschap } eap } post-auth { reply_log Post-Auth-Type REJECT { reply_log update outer.session-state { &Module-Failure-Message := &request:Module-Failure-Message } } } } eap { # General EAP information default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_file = ${certdir}/myCert.key certificate_file = ${certdir}/myCert.cer ca_file = ${cadir}/myCertCA.cer dh_file = ${certdir}/dh random_file = /dev/urandom ca_path = ${cadir} cipher_list = "DEFAULT@SECLEVEL=1" ecdh_curve = "prime256v1" tls_min_version = "1.0" tls_max_version = "1.2" cache { enable = yes name = example-cache-name # NAME OF CACHE persist_dir = ${logdir}/tlscache } verify { } ocsp { enable = no } } # Declare the EAP methods being used. ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } mschapv2 { } }
hi, being very flexible there are dozens of ways in which this can be achieved - however, you dont want to be using the outer-id for decision making - such things should be set in your local inner-tunnel (where you know the real Id) and then sent 'up' to the outer layer for the reply. I can probably help you further off list (I would also suggest that you have another defined outer and inner virtual server defined for inbound traffic from the national proxies (as in those cases you dont want to waste any time defining VLAN return attributes etc , just authenticate and over and done with.) regards alan
On May 3, 2022, at 6:52 PM, Samuel Walker-Kierluk via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I’ve got FreeRADIUS handling our “eduroam” needs at my university. Users from outside our realms are proxied to the national eduroam proxies, and users matching our realms are handled locally: -Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active Directory domain controllers -Post-Auth in outer server file: for users of our own realm and on our own campus’s network, I use a few “if” statements (one based on a username pattern, another based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the access point.
That's good.
This works wonderfully when using the same inner and outer identity, but after I set up anonymous outer identities on my clients, the VLAN ID assignment in the post-auth section doesn’t work properly, as it uses the outer identity “anonymous” instead of the username from the inner tunnel.
So move the checks to the inner-tunnel. The only magic is you should then add the VLAN attributes to the outer.session-state list. The "post-auth" section will automatically add them to the outer reply. See the "post-auth" section of the inner-tunnel virtual server, and the post-auth section of the default virtual server. # # For EAP-TTLS and PEAP, add the cached attributes to the reply. # The "session-state" attributes are automatically cached when # an Access-Challenge is sent, and automatically retrieved # when an Access-Request is received. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Samuel Walker-Kierluk