different default_eap_type for different users

Nicolas Boullis nicolas.boullis at ecp.fr
Thu Jul 2 12:05:25 CEST 2009 

Alan DeKok wrote:
> Nicolas Boullis wrote:
> 
>>I'm currently in the process of switching from an old freeradius 1.1.6
>>to a more recent 2.0.4 (both with debian packages, rebuilt against openssl).
> 
>   Why not 2.1.6?

No good reason for this, only that current Debian stable (Lenny) has
packages for 2.0.4, not 2.1.6. (And since administration of radius
servers is only a small part of my work, I'd rather rely on Debian
packages and Debian security team than track the potential security
issues of all the server softwares that I use.)

>>Hence, I thought I would use the hints file to force EAP-Type (the good
>>news is that I can recognize the IP phones with their username):
>>CP-7942G-SEP0024C4BE96B7
>>        EAP-Type = MD5-Challenge
>>
>>But this apparently does not work.
> 
>   It's a *configuration* item, not a reply item.  See "man users"
> 
> ...
> CP-7942G-SEP0024C4BE96B7   EAP-Type := MD5-Challenge
> ...
> 
>   That will work.

Unfortunately, it does not, freeradius still tries TLS (PEAP?):

# freeradius -X
(...)
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 138.195.254.246 port 1645,
id=21, length=181
        User-Name = "CP-7942G-SEP0024C4BE96B7"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1F-6D-11-DD-98"
        Calling-Station-Id = "00-24-C4-BE-96-B7"
        EAP-Message =
0x0203001d0143502d37393432472d534550303032344334424539364237
        Message-Authenticator = 0xad86f0122944a370ac2bc487e0b292a4
        NAS-Port-Type = Ethernet
        NAS-Port = 50024
        NAS-Port-Id = "FastEthernet0/24"
        NAS-IP-Address = 138.195.254.246
+- entering group authorize
  hints: Matched CP-7942G-SEP0024C4BE96B7 at 78
++[preprocess] returns ok
        expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/138.195.254.246/auth-detail-20090702
        expand: %t -> Thu Jul  2 11:51:53 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "CP-7942G-SEP0024C4BE96B7", looking
up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 29
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry CP-7942G-SEP0024C4BE96B7 at line 135
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 21 to 138.195.254.246 port 1645
        EAP-Message = 0x010400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe0c5d17fe0c1c8f39eb404d78a61b99b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.


Note the "hints: Matched CP-7942G-SEP0024C4BE96B7 at 78" and "rlm_eap:
processing type tls".

(... a few minutes later ...)

I just tried to set EAP-Type in users rather that in hints, and now it
works fine. Thanks!
But why does it work in users and not in hints? (I thought I had to use
hints because it is run before eap in the authorize section...)


Cheers,

-- 
Nicolas Boullis
Ecole Centrale Paris
France

More information about the Freeradius-Users mailing list