eap-ttls proxy and ldap
hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity anonymous@domainename and username login@domainename first server proxy to the second a request with anonymous as username so it don t work if i use outer identity anonymous@anoterdomain ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well thanks rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000d.eddf.7aa6" Calling-Station-Id = "0002.2d70.02a2" Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = "xxx" Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "enc" returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute "Password" is required for authentication. modcall[authenticate]: module "pap" returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds...
i try with a user in the users file : same probleme anonymous@etab1 and login@etab1 dont work ( proxy a request with user-name = anonymous ) anonymous@etab2 and login@etab1 works i have two differents versions of freeradius on the two server
hi i try to proxy eap-ttls request from a freeradius server to another i use outer identity anonymous@domainename and username login@domainename first server proxy to the second a request with anonymous as username so it don t work
if i use outer identity anonymous@anoterdomain ( anoterdomain is local to the first server ) all works fine , the proxy request is with login as username i use freeradius 1.1.3 on debian on this server here are my logs i have other proxy that works well
thanks
rad_recv: Access-Request packet from host xxx:1814, id=36, length=162 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000d.eddf.7aa6" Calling-Station-Id = "0002.2d70.02a2" Service-Type = Login-User Message-Authenticator = 0xdd3f8213af874ac3b02b2ad676fa70cc EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 165300 NAS-IP-Address = xxx NAS-Identifier = "xxx" Proxy-State = 0x3336 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 2 length 30 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 14 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 Found Autz-Type enc Processing the authorize section of radiusd.conf modcall: entering group enc for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(uid=anonymous)' radius_xlat: 'dc=enc,dc=sorbonne,dc=fr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=enc,dc=sorbonne,dc=fr, with filter (uid=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "enc" returns notfound for request 2 modcall: leaving group enc (returns notfound) for request 2 rad_check_password: Found Auth-Type pap auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 2 rlm_pap: Attribute "Password" is required for authentication. modcall[authenticate]: module "pap" returns invalid for request 2 modcall: leaving group PAP (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request Waking up in 3 seconds...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
basile wrote:
i try with a user in the users file : same probleme anonymous@etab1 and login@etab1 dont work ( proxy a request with user-name = anonymous ) anonymous@etab2 and login@etab1 works
You can cancel proxying for anonymous users. DEFAULT User-Name =~ "^anonymous", Proxy-To-Realm := LOCAL This requires a LOCAL realm in proxy.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
i don t want cancel proxying i m doing eap-ttls , and user with realm @etab1 have to be proxied to another radius server , proxy works fine but authentication is done with anonymous witch don t work the first server don t send good username logs on the second server ( end server ) rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0011.bb08.1750" Calling-Station-Id = "0002.2d70.02a2" Service-Type = Login-User Message-Authenticator = 0x0bcc9455270523eb776eee73ffb48e7e EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 569 NAS-IP-Address = NAS-Identifier = "AP1100_WDS_MANAGER" Proxy-State = 0x313630 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to yyy:389, authentication 0 rlm_ldap: bind as ... dc=enc,dc=sorbonne,dc=fr/xxxxxxxxx to yyy:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_pap: Attribute "Password" is required for authentication. rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 Sending Access-Reject of id 0 to xxx port 1814 Proxy-State = 0x313630 and on the first server ( proxy server ) Re-sending Access-Request of id 0 to yyy port 1812 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0011.bb08.1750" Calling-Station-Id = "0002.2d70.02a2" Service-Type = Login-User Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672 NAS-Port-Type = Wireless-802.11 NAS-Port = 623 NAS-IP-Address = NAS-Identifier = "AP1100_WDS_MANAGER" Client-IP-Address = Stripped-User-Name = "anonymous" Realm = "enc.sorbonne.fr" EAP-Type = Identity Realm = "enc.sorbonne.fr" Proxy-State = 0x313834 rad_recv: Access-Reject packet from host yyy:1812, id=0, length=25 Proxy-State = 0x313834 Login incorrect (Home Server says so): [anonymous/<no User-Password attribute>] (from client localhost port 623 cli 0002.2d70.02a2) Alan DeKok a écrit :
basile wrote:
i try with a user in the users file : same probleme anonymous@etab1 and login@etab1 dont work ( proxy a request with user-name = anonymous ) anonymous@etab2 and login@etab1 works
You can cancel proxying for anonymous users.
DEFAULT User-Name =~ "^anonymous", Proxy-To-Realm := LOCAL
This requires a LOCAL realm in proxy.conf.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
basile wrote:
i don t want cancel proxying i m doing eap-ttls , and user with realm @etab1 have to be proxied to another radius server ,
Just configure the realm on the server that's doing the proxying. The requests will then be proxied. After that, configure the home server to authenticate users. This is independent of proxying.
proxy works fine but authentication is done with anonymous witch don t work the first server don t send good username
The first server just proxies whatever the client sends it. You said that's what you wanted/
logs on the second server ( end server )
rad_recv: Access-Request packet from host xxx:1814, id=0, length=168 User-Name = "anonymous"
Set "striprealm = no" on the server that is doing the proxying. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
basile