EAP anonymous and inner User-name

Florian Prester Florian.Prester at rrze.uni-erlangen.de
Fri Nov 17 13:26:17 CET 2006 

Stefan Winter wrote:
> Hello,
>
>   
>>  I want to provide the possibility of anonymouse EAP, with inner
>> User-name and password.
>>     
>
> If you already successfully used outer = inner identity and it worked, you 
> don't need to change anything. the eap module doesn't care about the 
> User-Name of the outer request, just try it out.
>   
Hm, but I want to use "anonymus" as the outer username ( for eap) and
my real username for the authentication/authorization.

>   
>> So I think I have to add the user "annonymous" to the users-file with
>> Auth-type = EAP, but how do I access the inner User-name, which I need
>> for authentication/authorization?
>>     
>
> The inner request will magically show up after the tunnel has been decoded. It 
> is a new request, and will have its own User-Name attribute.
>
>   
Hm, for me it does not work,

my settings:

users-file:
#WLAN-anonymus:
DEFAULT User-Name=~"^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]$", 
Huntgroup-Name == WLAN
        Auth-Type:=EAP

# Default-Wlan
DEFAULT Auth-Type = pap, Huntgroup-Name == WLAN

my log:
rad_recv: Access-Request packet from host 131.188.4.190:20003, id=173, 
length=148
        NAS-Port-Id = "2059/1"
        Calling-Station-Id = "00-12-17-78-DD-58"
        Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
        Service-Type = Framed-User
        EAP-Message = 0x0
        User-Name = "anonymous"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "Trapeze"
        NAS-IP-Address = 131.188.4.190
        Message-Authenticator = 0x4
Fri Nov 17 12:03:14 2006 : Debug:   Processing the authorize section of 
radiusd.conf
Fri Nov 17 12:03:14 2006 : Debug: modcall: entering group authorize for 
request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling 
preprocess (rlm_preprocess) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
preprocess (rlm_preprocess) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module 
"preprocess" returns ok for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling 
auth_log (rlm_detail) for request 0
Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:  
'/var/log/radius/radacct/131.188.4.190/auth-detail-20061117'
Fri Nov 17 12:03:14 2006 : Debug: rlm_detail: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var /log/radius/radacct/131.188.4.190/auth-detail-20061117
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
auth_log (rlm_detail) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module 
"auth_log" returns ok for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling chap 
(rlm_chap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
chap (rlm_chap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "chap" 
returns noop for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling mschap 
(rlm_mschap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
mschap (rlm_mschap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "mschap" 
returns noop for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling eap 
(rlm_eap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   rlm_eap: EAP packet type response id 
1 length 14
Fri Nov 17 12:03:14 2006 : Debug:   rlm_eap: No EAP Start, assuming it's 
an on-going EAP conversation
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
eap (rlm_eap) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "eap" 
returns updated for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling files 
(rlm_files) for request 0
Fri Nov 17 12:03:14 2006 : Debug:     users: Matched entry DEFAULT at 
line 157
Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:  'anonymous'
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: returned from 
files (rlm_files) for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modcall[authorize]: module "files" 
returns ok for request 0
Fri Nov 17 12:03:14 2006 : Debug:   modsingle[authorize]: calling ldap 
(rlm_ldap) for request 0
Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: - authorize
Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: performing user 
authorization for anonymous

--> HERE the valid user name is neede:

Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:  
'(&(fauRadiusService=WLAN)(fauRadiusId=anonymous))'

any suggestions?

Greetings
 
  Florian Prester


> Greetings,
>
> Stefan Winter
>
>   
> ------------------------------------------------------------------------
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813

More information about the Freeradius-Users mailing list