PEAP auth rejected due to different inner and outer user-id

inverse inverse at ngi.it
Thu Feb 13 15:32:00 CET 2014


No, as for this server I don't keep failure auth/reply logs. However I
forgot to mention this is currently affecting only our local realms for
enrolled students and personnel. The "default" realm is authenticated on
another server with no such restriction.


Inverse



On Thu, Feb 13, 2014 at 1:56 PM, McNutt, Justin M. <McNuttJ at missouri.edu>wrote:

>  When this occurs, do you get something in your log that tells you that
> this is the reason for the auth failure?
>
>  Also, isn't inner anonymity one of the permitted benefits of the
> federated EAP structure used by eduroam? That is, guests are permitted to
> hide their real user IDs while not at "home"?
>
> Sent from my mobile device.
>
> On Feb 11, 2014, at 8:52, "inverse" <inverse at ngi.it> wrote:
>
>   The "eap_custom" module seems responsible for this behaviour so you
> should look into its config, curiously enough I've found no traces of it in
> my freeradius 2.2.3
>
> Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released
> from the list
> Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match
> User-Name.  Authentication failed.
> Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler
>
>  However I consider this a feature, not a bug. In fact as a local policy
> for eduroam I've placed this in the inner-tunnel 's post-auth section:
>
> if ( "%{outer.request:User-Name}" != "%{User-Name}" ){
>                           reject
>                         }
>
>
>  which does exactly that. If you see something along these lines, you've
> found the source of your problems
>
>
>
>  Best regards,
>
> Inverse
>
>
>
>
>
> On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng at gmail.com>wrote:
>
>>    Encountered the following issue.
>>
>>  Running FR 2.2.3. PEAP tunneled authentication was successful. But get
>> rejected due to username mismatch. No issue when both username are the same.
>>
>>      -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
"In a sea of glass shards, I hear you screaming"
--icchan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140213/d1c5b950/attachment.html>


More information about the Freeradius-Users mailing list