Authorize/authenticate with LDAP

Thierry CHICH thierry.chich at ac-clermont.fr
Wed Jan 16 17:16:18 CET 2008


Le mercredi 16 janvier 2008, Arran Cudbard-Bell a écrit :
> Thierry CHICH wrote:
> > Le mercredi 16 janvier 2008, Alan DeKok a écrit :
> >> Thierry CHICH wrote:
> >>> I have an access-point, and I want use EAP/TTLS in order to
> >>> authenticate people on my LDAP server. The first time, I had then
> >>> something like that:
> >>
> >> ...
> >>
> >>> in my intel proset, if I am giving a false identity in my roaming
> >>> profile with a good identity and a good password, it is working. The
> >>> authorization step doesn't work as I want. The most important problem
> >>> is that the accounting is using my roaming profile.
> >>
> >>   Yes.  The outer identity is often "anonymous", and does not matter for
> >> authentication.
> >>
> >>   If you set the User-Name in the Access-Accept, the NAS *should* use
> >> that name for accounting, and not the name from the outer identity.
> >
> > Thanks for your answer. I am happy to see that it is not totally weird.
> >
> > But what can I do in order to "set the User-Name in the Access-Accept" ?
> >
> > When I watch the logs, I see the following events
> >
> > First, all is going well :
> >
> > rlm_ldap: user GOOD.NAME authenticated succesfully
> >   modcall[authenticate]: module "ldap" returns ok for request 6
> > modcall: leaving group LDAP (returns ok) for request 6
> > radius_xlat:  'GOOD.NAME at ac-clermont.fr vous allez acceder en INTERNE au
> > Rectorat de Clermont-Ferrand'
> >   TTLS: Got tunneled reply RADIUS code 2
> >         Reply-Message = "GOOD.NAME at ac-clermont.fr vous allez acceder en
> > INTERNE au Rectorat de Clermont-Ferrand"
> >   TTLS: Got tunneled Access-Accept
> >   rlm_eap: Freeing handler
> >   modcall[authenticate]: module "eap" returns ok for request 6
> > modcall: leaving group authenticate (returns ok) for request 6
> >
> > But after that good beginning, I come back to the FAKE.NAME I have
> > written as my outer identity :
> >
> > radius_xlat:  'FAKE.NAME at ac-clermont.fr vous allez acceder en INTERNE au
> > Rectorat de Clermont-Ferrand'
> > Sending Access-Accept of id 13 to 172.30.87.66 port 3689
> >         Reply-Message = "FAKE.NAME at ac-clermont.fr vous allez acceder en
> > INTERNE au Rectorat de Clermont-Ferrand"
> >         MS-MPPE-Recv-Key =
> > 0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633
> >         MS-MPPE-Send-Key =
> > 0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae
> >         EAP-Message = 0x030d0004
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         User-Name = "FAKE.NAME"
> >
> >
> >
> >
> >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> What version of FR are you running ?

freeradius Version 1.1.3 ??? I can't believe it ! I thank I was using the 
version 1.1.6 ! Is it possible it change the beahvior if I upgrade ?



More information about the Freeradius-Users mailing list