Question about outer identity

Martin Pauly pauly at hrz.uni-marburg.de
Thu Jul 30 12:39:45 CEST 2009 

Hi all,

I have 2.1.6 and things basically work. But I just came across a
question about the processing of outer/inner identity:

As I understand it, in case of a non-EAP RADIUS request (eg from my old 
modem servers), there is no tunnel and hence no inner identity.
==> Autz and Auth are done by the default virtual server and governed by
the settings in radiusd.conf and sites-available/default -- right?

In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer 
identity is simply used as a dummy during Tunnel setup
(Our EAP Clients use anonymous at uni-marburg.de as outer identity).
Nonetheless, freeradius does an LDAP request during Authorization
which, of course, fails with 'notfound'. freeradius then happily
proceeds to do the real authentication with inner-tunnel.
Now I wonder how to avoid that extra LDAP query.

Here's my config (ldap123 refers to a virtual module doing
redundant-load-balance with 3 LDAP servers):

default:
authorize {
         preprocess
         chap
         mschap
         suffix
         eap {
                 ok = return
         }
         unix
         files
         ldap123
         expiration
         logintime
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
         unix
         eap
         Auth-Type LDAP {
              ldap123
         }
}

inner-tunnel:
authorize {
         chap
         mschap
         unix
         suffix
         update control {
                Proxy-To-Realm := LOCAL
         }
         eap {
                 ok = return
         }
         files
         ldap123
         expiration
         logintime
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
         unix
         Auth-Type LDAP {
             ldap123
         }
         eap
}

And here is the (hopefully) relevant part of the
output of freeradius -X:

radiusd: #### Opening IP addresses and Ports ####
listen {
         type = "auth"
         ipaddr = *
         port = 0
}
listen {
         type = "acct"
         ipaddr = *
         port = 0
}
listen {
         type = "auth"
         ipaddr = 127.0.0.1
         port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.75.246 port 1645, 
id=68, length=166
         User-Name = "anonymous at uni-marburg.de"
         Framed-MTU = 1400
         Called-Station-Id = "0013.8011.a1e0"
         Calling-Station-Id = "001b.7720.e19d"
         Service-Type = Login-User
         Message-Authenticator = 0xc8c71b2e61687810d83b54a62fbc0150
         EAP-Message = 
0x0202001d01616e6f6e796d6f757340756e692d6d6172627572672e6465
         NAS-Port-Type = Wireless-802.11
         NAS-Port = 14662
         NAS-IP-Address = 192.168.75.246
         NAS-Identifier = "warz004"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "uni-marburg.de" for User-Name = 
"anonymous at uni-marburg.de"
[suffix] Found realm "uni-marburg.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "uni-marburg.de"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> anonymous at uni-marburg.de
++[files] returns ok
++- entering policy ldap123 {...}
+++- entering redundant-load-balance group redundant-load-balance {...}
[ldap3] performing user authorization for anonymous
[ldap3] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap3]         expand: 
(&(uid:caseExactMatch:=%{Stripped-User-Name:-%{User-Name}}) 
(!(UniMrDarfRadius=0))) -> (&(uid:caseExactMatch:=anony
mous) (!(UniMrDarfRadius=0)))
[ldap3]         expand: ou=people,ou=Students,ou=Accounts,o=Universitaet 
Marburg,c=DE -> ou=people,ou=Students,ou=Accounts,o=Universitaet M
arburg,c=DE
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to auth3.students.uni-marburg.de:389, authentication 0
rlm_ldap: setting TLS CACert File to 
/etc/ssl/certs/deutsche-telekom-root-ca-2.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as uid=radius,ou=Proxy,o=Universitaet 
Marburg,c=DE/JhkG0iH to auth3.students.uni-marburg.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE, with 
filter (&(uid:caseExactMatch:=anonymous)
  (!(UniMrDarfRadius=0)))
rlm_ldap: object not found
[ldap3] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++++[ldap3] returns notfound
+++- redundant-load-balance group redundant-load-balance returns notfound
++- policy ldap123 returns notfound
++[expiration] returns noop
++[logintime] returns noop


Thanks for any help
Martin

-- 
   Dr. Martin Pauly     Fax:    49-6421-28-26994
   HRZ Univ. Marburg    Phone:  49-6421-28-23527
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

More information about the Freeradius-Users mailing list