Hello! All. I try to authenticate with EAP-TTLS at the customer's request, but I would like help if I have a problem. Authentication itself is also possible on the real machine, but there is a log of user's Login OK in radius.log at the time of authentication, but two of username and anonymous will be output. (Location of the symbol of ★) The customer's request is very embarrassing to say that the output of this Login OK log can be combined with the Login OK output by username. Are there any good plans or methods? Paste the problem log below. Any help would be appreciated. ------------------------------------------------------------------------------- Jul 12 13:37:54 xradius radiusd[2415]: Loaded virtual server inner-tunnel Jul 12 13:37:54 xradius radiusd[2415]: Ready to process requests Jul 12 13:38:37 xradius radiusd[2415]: Need 5 more connections to reach 10 spares Jul 12 13:38:37 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Opening additional connection (5), 1 of 27 pending slots used ★Jul 12 13:38:37 xradius radiusd[2415]: (5) Login OK: [rt015] (from client testwlc01 port 0 via TLS tunnel) LDAP;50-3E-AA-6D-ED-7E;;;;;;rt015 ★Jul 12 13:38:37 xradius radiusd[2415]: (5) Login OK: [anonymous] (from client testwlc01 port 12289 cli 50-3E-AA-6D-ED-7E) eap;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT 802.11g;;;;anonymous Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (2): Hit idle_timeout, was idle for 5189 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (3): Hit idle_timeout, was idle for 5189 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (4): Hit idle_timeout, was idle for 5189 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (0): Hit idle_timeout, was idle for 5146 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (5): Hit idle_timeout, was idle for 5146 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Closing connection (1): Hit idle_timeout, was idle for 5146 seconds Jul 12 15:04:23 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Opening additional connection (6), 1 of 32 pending slots used Jul 12 15:04:24 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Bind with uid=radius,ou=systems,dc=hoge,dc=fuga,dc=co,dc=jp to ldaps://ldap.hoge.fuga.co.jp:636 failed: Can't contact LDAP server Jul 12 15:04:24 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Opening connection failed (6) Jul 12 15:04:24 xradius radiusd[2415]: (11) Invalid user: [rt015] (from client testwlc01 port 0 via TLS tunnel) ;50-3E-AA-6D-ED-7E;;;;;;rt015 Jul 12 15:04:24 xradius radiusd[2415]: (11) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP sub-module failed): [anonymous] (from client testwlc01 port 12289 cli 50-3E-AA-6D-ED-7E) eap;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT 802.11g;;;;anonymous Jul 12 15:09:11 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Opening additional connection (7), 1 of 1 pending slots used Jul 12 15:09:11 xradius radiusd[2415]: Need 2 more connections to reach min connections (3) Jul 12 15:09:11 xradius radiusd[2415]: rlm_ldap (ldap_allusers): Opening additional connection (8), 1 of 2 pending slots used ★Jul 12 15:09:11 xradius radiusd[2415]: (24) Login OK: [rt015] (from client testwlc01 port 0 via TLS tunnel) LDAP;50-3E-AA-6D-ED-7E;;;;;;rt015 ★Jul 12 15:09:11 xradius radiusd[2415]: (24) Login OK: [anonymous] (from client testwlc01 port 12289 cli 50-3E-AA-6D-ED-7E) eap;50-3E-AA-6D-ED-7E;08-35-71-F2-CE-05;CONNECT 802.11g;;;;anonymous Jul 12 15:16:48 xradius radiusd[2415]: Signalled to terminate Jul 12 15:16:48 xradius radiusd[2415]: Exiting normally
On Jul 17, 2019, at 7:08 AM, Yuya Yanagi <peacefull64@gmail.com> wrote:
I try to authenticate with EAP-TTLS at the customer's request, but I would like help if I have a problem.
Authentication itself is also possible on the real machine, but there is a log of user's Login OK in radius.log at the time of authentication, but two of username and anonymous will be output. (Location of the symbol of ★)
Yes. TTLS has an outer authentication and an inner authentication. If you configure authentication logging, then it logs both.
The customer's request is very embarrassing to say that the output of this Login OK log can be combined with the Login OK output by username.
What does that mean? What's embarrassing about the logs? Alan DeKok.
Hi,Alan Thank you for your reply! I explained that two logs were output, but I explained to the customer referring to the contents of the email and understood it. ・ Is there a way to display by username instead of anonymously? ・ Why become anonymous? regards y.y 2019年7月17日(水) 20:32 Alan DeKok <aland@deployingradius.com>:
On Jul 17, 2019, at 7:08 AM, Yuya Yanagi <peacefull64@gmail.com> wrote:
I try to authenticate with EAP-TTLS at the customer's request, but I would like help if I have a problem.
Authentication itself is also possible on the real machine, but there is a log of user's Login OK in radius.log at the time of authentication, but two of username and anonymous will be output. (Location of the symbol of ★)
Yes. TTLS has an outer authentication and an inner authentication. If you configure authentication logging, then it logs both.
The customer's request is very embarrassing to say that the output of this Login OK log can be combined with the Login OK output by username.
What does that mean?
What's embarrassing about the logs?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,Alan Thank you for your reply! The customer was informed about Alan's answer. I understand the contents of RFC 7542, but I am aware of the risk, and the request is for the outside user name to be written in the log by the user name instead of [anonymous]. We will ask two questions to see if it is feasible. 1. Is it impossible to modify the freeradius OSS itself? 2. Is there a way to do this with commands or settings? y.y 2019-07-21 0:55 GMT+09:00, Alan DeKok <aland@deployingradius.com>:
On Jul 20, 2019, at 11:45 AM, Yuya Yanagi <peacefull64@gmail.com> wrote:
・ Is there a way to display by username instead of anonymously?
The outer User-Name *is* "anonymous".
・ Why become anonymous?
For security. See RFC 7542
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 23, 2019, at 8:49 PM, Yuya Yanagi <peacefull64@gmail.com> wrote:
The customer was informed about Alan's answer.
I understand the contents of RFC 7542, but I am aware of the risk, and the request is for the outside user name to be written in the log by the user name instead of [anonymous]. We will ask two questions to see if it is feasible.
1. Is it impossible to modify the freeradius OSS itself?
You're free to edit the FreeRADIUS source code. However, many unusual changes will not be accepted back, because we have strong opinions about how things should work.
2. Is there a way to do this with commands or settings?
Sure. Edit the User-Name attribute in the "post-auth" section. This is done in the default configuration. See sites-available/default, the "post-auth" section. You may need to install 3.0.19 to get the most recent policies. Alan DeKok.
Hi,Alan Help me I'm sorry I saw the post-auth section of sites-available / default I do not know how to set it up. How should I set it up? I tried to put in the following description, but the result was not affected... -------- update reply { User-Name := &request:User-Name } 2019-07-24 10:01 GMT+09:00, Alan DeKok <aland@deployingradius.com>:
On Jul 23, 2019, at 8:49 PM, Yuya Yanagi <peacefull64@gmail.com> wrote:
The customer was informed about Alan's answer.
I understand the contents of RFC 7542, but I am aware of the risk, and the request is for the outside user name to be written in the log by the user name instead of [anonymous]. We will ask two questions to see if it is feasible.
1. Is it impossible to modify the freeradius OSS itself?
You're free to edit the FreeRADIUS source code. However, many unusual changes will not be accepted back, because we have strong opinions about how things should work.
2. Is there a way to do this with commands or settings?
Sure. Edit the User-Name attribute in the "post-auth" section.
This is done in the default configuration. See sites-available/default, the "post-auth" section. You may need to install 3.0.19 to get the most recent policies.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 23, 2019, at 10:28 PM, Yuya Yanagi <peacefull64@gmail.com> wrote:
I'm sorry I saw the post-auth section of sites-available / default I do not know how to set it up. How should I set it up?
Use 3.0.19, and the configuration there in the "post-auth" section will automatically do what you want.
I tried to put in the following description, but the result was not affected...
Because that does nothing useful. Download 3.0.19 and look at its configuration. Alan DeKok.
participants (2)
-
Alan DeKok -
Yuya Yanagi