inner vs outer User-Name
Kenneth Grady
klg at lanl.gov
Mon Feb 8 23:12:36 CET 2010
Is there any way to authorize a user using the inner-tunnel User-Name
and not the outer?
I get an outer User-Name of anonymous and a reject when searching for
authorized users in an ldap group.
If they convolute the configuration for the device with an outer
User-Name of a person in the ldap group, it authorizes them, and they
can authenticate using Kerberos.
Mon Feb 8 12:53:21 2010
Packet-Type = Access-Request
User-Name = "anonymous"
...
Mon Feb 8 12:53:21 2010
Packet-Type = Access-Accept
Reply-Message = "case WAREHOUSE"
Reply-Message = "not authorized for mygroup"
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "duser"
...
Mon Feb 8 14:08:11 2010
Packet-Type = Access-Request
User-Name = "duser"
...
Mon Feb 8 14:08:11 2010
Packet-Type = Access-Accept
Reply-Message = "case WAREHOUSE"
Reply-Message = "Warehouse mygroup"
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "duser"
/etc/raddb/sites-available/default
...
case "WAREHOUSE" {
update reply {
reply-message += "case WAREHOUSE"
}
#EMPLOYEE { # need to use the inner-tunnel
User-Name
#}
if ( EMPLOYEE-Ldap-Group == "mygroup" ) {
update reply {
reply-message += "Warehouse mygroup"
}
}
else {
update reply {
reply-message += "not authorized
for mygroup"
}
# update config {
# Auth-Type := Reject
# }
}
}
More information about the Freeradius-Users
mailing list