Authorize/authenticate with LDAP

Thierry CHICH thierry.chich at ac-clermont.fr
Wed Jan 16 14:59:11 CET 2008 

Le mercredi 16 janvier 2008, Alan DeKok a écrit :
> Thierry CHICH wrote:
> > I have an access-point, and I want use EAP/TTLS in order to authenticate
> > people on my LDAP server. The first time, I had then something like that:
>
> ...
>
> > in my intel proset, if I am giving a false identity in my roaming profile
> > with a good identity and a good password, it is working. The
> > authorization step doesn't work as I want. The most important problem is
> > that the accounting is using my roaming profile.
>
>   Yes.  The outer identity is often "anonymous", and does not matter for
> authentication.
>
>   If you set the User-Name in the Access-Accept, the NAS *should* use
> that name for accounting, and not the name from the outer identity.

Thanks for your answer. I am happy to see that it is not totally weird.

But what can I do in order to "set the User-Name in the Access-Accept" ?

When I watch the logs, I see the following events

First, all is going well :

rlm_ldap: user GOOD.NAME authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 6
modcall: leaving group LDAP (returns ok) for request 6
radius_xlat:  'GOOD.NAME at ac-clermont.fr vous allez acceder en INTERNE au 
Rectorat de Clermont-Ferrand'
  TTLS: Got tunneled reply RADIUS code 2
        Reply-Message = "GOOD.NAME at ac-clermont.fr vous allez acceder en 
INTERNE au Rectorat de Clermont-Ferrand"
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6

But after that good beginning, I come back to the FAKE.NAME I have written as 
my outer identity :

radius_xlat:  'FAKE.NAME at ac-clermont.fr vous allez acceder en INTERNE au 
Rectorat de Clermont-Ferrand'
Sending Access-Accept of id 13 to 172.30.87.66 port 3689
        Reply-Message = "FAKE.NAME at ac-clermont.fr vous allez acceder en 
INTERNE au Rectorat de Clermont-Ferrand"
        MS-MPPE-Recv-Key = 
0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633
        MS-MPPE-Send-Key = 
0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae
        EAP-Message = 0x030d0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "FAKE.NAME"

More information about the Freeradius-Users mailing list