realm matching and multiple eap types

paul.osborne at canterbury.ac.uk paul.osborne at canterbury.ac.uk
Mon Aug 3 16:22:04 CEST 2009


Hi,

I have a running FreeRADIUS installation (v 1.1.3-1.4  - as supplied by
Red Hat), which is happily authing my local users
(<login>@canterbury.ac.uk) via ntlm to active directory on Windows, this
is achieved by matching my local domain in the proxy.conf .  All other
requests it passes on to an NRPS as part of the JANET Eduroam service
via the DEFAULT realm.

I do however need to add in certficate based authentication for a pool
of loan laptops which will not be using local auth (at the laptop end
and will be dealt with elsewhere with the services that they access) and
this is proving problematic and leaves me with some questions:

1. since the user names on these pool machines are likely to be of the
form: host/testlaptop.another.domain  - how can I ensure that I match
the domain entry since there is no '@' in the user name?  ie drop the
host/testlaptop and just leave me with .another.domain

2. how do I configure an additional an tls type within eap using a
different set of certificates? These laptops will have autogenerated
certs installed that point back to a root CA within a Windows Domain, I
already have certs installed based around the NRPS but for these laptops
we will be using our own CA cert which will not be signed off elsewhere
- but we can at least install the CA cert onto the laptops as part of
the build to fix up the trust relationships.

Or assuming that I can get 1 (above) working, am I better off just
proxing the entire auth request onto another radius server? Which does I
admit seem a little overkill.

Thoughts, comments etc are more than welcome.

Follows at the end is a copy of the debug output which may be is use
(note that I have deliberately anonymised the IP addresses etc in the
output).

Regards

Paul
--------------------------
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 31 with timestamp 4a76ebe6
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host AAA.BBB.CCC.DDD:1645, id=156,
length=235
        User-Name = "host/certtestlaptop.another.domain"
        Framed-MTU = 1400
        Called-Station-Id = "AA-BB-54-D2-00-74"
        Calling-Station-Id = "AA-BB-DE-18-F9-EB"
        Cisco-AVPair = "ssid=eduroam"
        WISPr-Location-Name = "My building and location"
        Service-Type = Login-User
        Message-Authenticator = 0x0f83b71640a7450739de6c22a58d9064
        EAP-Message =
0x0202002101686f73742f63657274746573746c6170746f702e63632e6c6f63616c
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 192048
        NAS-Port-Id = "192048"
        NAS-IP-Address = AAA.BBB.CCC.DDD
        NAS-Identifier = "access point name"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/var/log/radius/radacct/AAA.BBB.CCC.DDD/auth-detail-03-08-2009'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address:-%{Framed-IP-Address:-%{NAS-
IP-Address}}}/auth-detail-%d-%m-%Y expands to
/var/log/radius/radacct/AAA.BBB.CCC.DDD/auth-detail-03-08-2
009
  modcall[authorize]: module "auth_log" returns ok for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name =
"host/certtestlaptop.another.domain", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name =
"host/certtestlaptop.another.domain"
    rlm_realm: Proxying request from user
host/certtestlaptop.another.domain to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 1
    rlm_realm: Request already proxied.  Ignoring.
  modcall[authorize]: module "ntdomain" returns noop for request 1
  rlm_eap: EAP packet type response id 2 length 33
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 158
    users: Matched entry DEFAULT at line 266
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 156 to AAA.BBB.CCC.DDD port 1645
        Service-Type := Administrative-User
        Tunnel-Type:0 := VLAN
        Tunnel-Medium-Type:0 := IEEE-802
        Tunnel-Private-Group-Id:0 := "90"
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7e6e8f937ac7a9d33173a95fef9efeca
Finished request 1
Going to the next request






More information about the Freeradius-Users mailing list