EAP/TTLS on LDAP with freeradius 2.0.1
Thierry CHICH
thierry.chich at ac-clermont.fr
Wed Feb 6 16:53:05 CET 2008
Le mercredi 06 février 2008, Alan DeKok a écrit :
> Thierry CHICH wrote:
> > With the previous release of freeradius 1.1.7, I could do the following
> > things:
> > - people with a correct outer identity and inner identity
> > (login/password) could be authorized and authenticate on a LDAP server,
> > using an EAP-TTLS tunnel, obtained a WPA key.
> > - with the same radius server, I could authenticate people with EAP-PEAP
> > and mschapv2 on a sql database.
>
> 2.0.1 can do this, too.
I didn't really think it can't do that.
> > It was nice, but I had a small problem: accounting was done using the
> > outer identity. Since I was using the ldap to do the authorization,
> > people who put an other valid identity didn't be correctly accounted.
>
> In 2.0.1, see raddb/sites-available/inner-tunnel for comments &&
> configuration to fix this. Or, the other reply to your message.
>
> > I always finished by :
> > rlm_eap_ttls: Session established. Proceeding to decode tunneled
> > attributes. auth: No authenticate method (Auth-Type) configuration found
> > for the request: Rejecting the user
>
> The most common cause for this is that you massively edited the
> configuration file without understanding what it was doing. The simple
> answer is DON'T DO THAT.
I understand that very well. I think that the "massively" is perhaps a little
bit exageratted, but I have make a really stupid mistake. I have located it
using kdiff3 (thanks to the developper, it is a great tool).
It is working better now that I really use inner-tunnel, and not believe that
I use it..... Thanks to you.
However, it the accounting is always done with the outer identity, even
putting the:
update outer.reply {
User-Name = "%{request.User-Name}"
}
in the post-auth of inner-tunnel.
The
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name := `%{User-Name}`,
Fall-Through = yes
in the users conf file doesn't work better.
I got:
Login OK: [thierry.chich at ac-clermont.fr/xxxxxxxx] (from client ap-rectorat02
port 0)
+- entering group post-auth
expand: %{request.User-Name} ->
++[outer.reply] returns noop
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [anonymous at ac-clermont.fr\000/<via Auth-Type = EAP>] (from client
ap-rectorat02 port 1 cli 00-0E-35-71-04-0C)
Sending Access-Accept of id 27 to 172.30.87.66 port 4347
User-Name = ""
MS-MPPE-Recv-Key =
0xec76f1095e9ec08db58453397df1c7f6a38acc1bada412e45a538ff6da6b60a5
MS-MPPE-Send-Key =
0xb66e7bc27988a1d193f3cdb520c29a8c4fd6c75b4b5e0b4aaf8da3bda7bff2e6
EAP-Message = 0x031b0004
Message-Authenticator = 0x00000000000000000000000000000000
Do you know why User-Name is empty ?
More information about the Freeradius-Users
mailing list