Inner tunnel post auth question

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Fri May 10 23:21:55 CEST 2013 

My FR version is 2.1.10+dfsg-3build2_amd64. Unless there's a nice
package for Ubuntu 12.04 server then I'll be compiling from source then
I think. 

This is the peap bit of eap.conf :

peap {

                        default_eap_type = mschapv2

                        copy_request_to_tunnel = yes

                        use_tunneled_reply = yes

                #       proxy_tunneled_request_as_eap = yes

                        virtual_server = "inner-tunnel"

so yes, the "use_tunneled reply" bit is there. Is that what's causing
the copying of attributes from within the tunnel to fail, or is that
setting what it's supposed to be? I'm still getting my head around the
eap thing - like for example why I need authorization and authentication
settings in the inner-tunnel virtual server for eap again - my intuition
would tell me that the inner eap just needs mschap in there if that's
the protocol inside the tunnel, but then perhaps it's something to do
with the "protection" bit of peap that means it's a "tunnel within a
tunnel" or something. Like I said still getting my head around it all.

I'd still like to get the attributes copying from the inner to outer
tunnels regardless of the fix in 2.2. It's gnawing at me a bit.

Thanks

Andy

 

 

From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Alex Sharaz
Sent: 10 May 2013 14:09
To: FreeRadius users mailing list
Subject: Re: Inner tunnel post auth question

 

Andy,

What version of FreeRadius are you using?

I *think* that unless you are using the git source  for 2.2.1, post-auth
reject is broken. There was some stuff I was doing a few months ago that
got fixed in 2.2.1 ... but I'm getting old and can't remember all the
details :-(

 

 

On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer
<Andy.Franks at sath.nhs.uk> wrote:





Hi,

  This may have come up before but I can't find any solutions : 

I'm using a NAS which always performs EAP/MSCHAP2 authentication, so
I've stripped the sites-enabled/default right down to pretty much just
include the eap stuff for authorisation/authentication, and am doing all
the rest inside the inner tunnel - fine.

When the radius returns an access-accept, it runs the stuff in the
inner-tunnel post_auth section ok, and I can record the attributes I
want to a mysql db, including a custom ldap attribute inserted into a
control variable. 

However it seems that following a reject, the post_auth reject section
of inner-tunnel isn't actually used, so it doesn't record any info about
the attributes in the sql database if I use an sql call.

Ok .. so do it in the default post_auth reject bit - ok but I can't
figure how to pass back control variables to the outer tunnel. I'd
imagine it should be similar to the description in the post auth reject
section of the inner tunnel :

update outer.reply {

        User-Name = "%{request:User-Name}"

        }

 

have u got 

use_tunneled_reply = yes

set up in eap.conf?

 

Rgds

Alex





But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can't do it in the authentication part, or so I
gather (no unlang support in there?).

In the below update, ldap-UserDescription is my custom attribute, which
I can see from the logs is being populated :

 [ldap] description -> Ldap-UserDescription == "test ip phone"

 

Authorize {

..

..

ldap

                update outer.control {

               Ldap-UserDescription := "%{control:Ldap-UserDescription}"

                }

}

But again it doesn't make it through (or am I doing it wrong?)

 

+- entering group REJECT {...}

        expand: %{control:Ldap-UserDescription} -> :

++[reply] returns noop

 

Am I being stupid? The best thing would be for the post_auth reject
section in inner tunnel to run, but failing that I need to work out the
control item passback to the outer tunnel.

Thanks for any help in advance!

Andy

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130510/36f30874/attachment.html>

More information about the Freeradius-Users mailing list