eap-ttls proxy and ldap

basile bmathieu at siris.sorbonne.fr
Thu Mar 1 14:27:10 CET 2007 

i don t want cancel proxying
i m doing eap-ttls , and user with realm @etab1 have to be proxied to
another radius
server , proxy works fine but authentication is done with anonymous
witch don t work
the first server don t send good username

logs on the second  server ( end server )

rad_recv: Access-Request packet from host xxx:1814, id=0, length=168
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "0011.bb08.1750"
        Calling-Station-Id = "0002.2d70.02a2"
        Service-Type = Login-User
        Message-Authenticator = 0x0bcc9455270523eb776eee73ffb48e7e
        EAP-Message =
0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 569
        NAS-IP-Address =
        NAS-Identifier = "AP1100_WDS_MANAGER"
        Proxy-State = 0x313630
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: (re)connect to yyy:389, authentication 0
rlm_ldap: bind as ...  dc=enc,dc=sorbonne,dc=fr/xxxxxxxxx to yyy:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_pap: Attribute "Password" is required for authentication.
rad_recv: Access-Request packet from host xxx:1814, id=0, length=168
Sending Access-Reject of id 0 to xxx port 1814
        Proxy-State = 0x313630

and on the first server ( proxy server )

Re-sending Access-Request of id 0 to yyy port 1812
        User-Name = "anonymous"
        Framed-MTU = 1400
        Called-Station-Id = "0011.bb08.1750"
        Calling-Station-Id = "0002.2d70.02a2"
        Service-Type = Login-User
        Message-Authenticator = 0x00000000000000000000000000000000
        EAP-Message =
0x0202001e01616e6f6e796d6f757340656e632e736f72626f6e6e652e6672
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 623
        NAS-IP-Address =
        NAS-Identifier = "AP1100_WDS_MANAGER"
        Client-IP-Address =
        Stripped-User-Name = "anonymous"
        Realm = "enc.sorbonne.fr"
        EAP-Type = Identity
        Realm = "enc.sorbonne.fr"
        Proxy-State = 0x313834
rad_recv: Access-Reject packet from host yyy:1812, id=0, length=25
        Proxy-State = 0x313834
Login incorrect (Home Server says so): [anonymous/<no User-Password
attribute>] (from client localhost port 623 cli 0002.2d70.02a2)


Alan DeKok a écrit :
> basile wrote:
>   
>> i try with a user in the users file : same probleme
>> anonymous at etab1 and login at etab1 dont work ( proxy a request with
>> user-name = anonymous )
>> anonymous at etab2 and login at etab1 works
>>     
>
>   You can cancel proxying for anonymous users.
>
> DEFAULT User-Name =~ "^anonymous", Proxy-To-Realm := LOCAL
>
>   This requires a LOCAL realm in proxy.conf.
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
>

More information about the Freeradius-Users mailing list