LDAP group check on inner-tunnel.
Jason Fenner
jfenner at Vitamix.com
Mon Aug 9 21:00:06 CEST 2010
I am running FreeRadius version 2.1.7-7
I am doing clear-text password authentication against Active Directory
using ntlm_auth. Then ldap is used for group checking. Finally, I have
moved my policies to postauth_users in the postauth group.
This clear-text functionality works fine.
However, when I test PEAP using eapol_test authentication also works
fine, but the ldap group checking occurs only on the outer-tunnel
username. In this case, the outer tunnel is created using the username
"anonymous". This user doesn't exist in AD, so a failure is the response.
In inner-tunnel post-auth I have this snippet:
update outer.reply {
User-Name = "%{request:User-Name}"
}
My understanding was that this should copy the real username from the
inner tunnel to the outer tunnel. This should then allow ldap
groupcheck to test the correct username. I never see a ldap check on
the inner tunnel at all.
I see this strange output in debug in relation to the snipet above:
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
expand: %{request:User-Name} -> radius_user
++[outer.reply] returns noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "radius_user"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "radius_user"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
I would think that outer.reply should return ok or something other then
noop.
Looking forward to any help with getting ldap group check working on the
inner tunnel username.
Jason Fenner, CCNP
Network Engineer & Storage Administrator
Vita-Mix Corporation
8615 Usher Road, Cleveland, Ohio 44138
+1 (440) 782-2603 | JFenner at Vitamix.com
IT Support: +1 (440) 782-2222 eMail: Helpdesk at Vitamix.com
CONFIDENTIALITY NOTE: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and protected from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify me by telephone and permanently delete the original and any copy of this e-mail and destroy any printout thereof.
More information about the Freeradius-Users
mailing list