Authorize/authenticate with LDAP

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Jan 16 16:45:12 CET 2008 

Thierry CHICH wrote:
> Le mercredi 16 janvier 2008, Alan DeKok a écrit :
>   
>> Thierry CHICH wrote:
>>     
>>> I have an access-point, and I want use EAP/TTLS in order to authenticate
>>> people on my LDAP server. The first time, I had then something like that:
>>>       
>> ...
>>
>>     
>>> in my intel proset, if I am giving a false identity in my roaming profile
>>> with a good identity and a good password, it is working. The
>>> authorization step doesn't work as I want. The most important problem is
>>> that the accounting is using my roaming profile.
>>>       
>>   Yes.  The outer identity is often "anonymous", and does not matter for
>> authentication.
>>
>>   If you set the User-Name in the Access-Accept, the NAS *should* use
>> that name for accounting, and not the name from the outer identity.
>>     
>
> Thanks for your answer. I am happy to see that it is not totally weird.
>
> But what can I do in order to "set the User-Name in the Access-Accept" ?
>
> When I watch the logs, I see the following events
>
> First, all is going well :
>
> rlm_ldap: user GOOD.NAME authenticated succesfully
>   modcall[authenticate]: module "ldap" returns ok for request 6
> modcall: leaving group LDAP (returns ok) for request 6
> radius_xlat:  'GOOD.NAME at ac-clermont.fr vous allez acceder en INTERNE au 
> Rectorat de Clermont-Ferrand'
>   TTLS: Got tunneled reply RADIUS code 2
>         Reply-Message = "GOOD.NAME at ac-clermont.fr vous allez acceder en 
> INTERNE au Rectorat de Clermont-Ferrand"
>   TTLS: Got tunneled Access-Accept
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 6
> modcall: leaving group authenticate (returns ok) for request 6
>
> But after that good beginning, I come back to the FAKE.NAME I have written as 
> my outer identity :
>
> radius_xlat:  'FAKE.NAME at ac-clermont.fr vous allez acceder en INTERNE au 
> Rectorat de Clermont-Ferrand'
> Sending Access-Accept of id 13 to 172.30.87.66 port 3689
>         Reply-Message = "FAKE.NAME at ac-clermont.fr vous allez acceder en 
> INTERNE au Rectorat de Clermont-Ferrand"
>         MS-MPPE-Recv-Key = 
> 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633
>         MS-MPPE-Send-Key = 
> 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae
>         EAP-Message = 0x030d0004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "FAKE.NAME"
>  
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
What version of FR are you running ?

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list