PEAP auth rejected due to different inner and outer user-id

McNutt, Justin M. McNuttJ at missouri.edu
Thu Feb 13 16:42:02 CET 2014


Ah, cool.  Thanks.  I've been thinking about doing the same thing for our local realms as well, but I would absolutely have to have some kind of log message for rejections or I won't be able to make it fly.

--J

From: freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu at lists.freeradius.org] On Behalf Of inverse
Sent: Thursday, February 13, 2014 8:32 AM
To: FreeRadius users mailing list
Subject: Re: PEAP auth rejected due to different inner and outer user-id

No, as for this server I don't keep failure auth/reply logs. However I forgot to mention this is currently affecting only our local realms for enrolled students and personnel. The "default" realm is authenticated on another server with no such restriction.


Inverse

On Thu, Feb 13, 2014 at 1:56 PM, McNutt, Justin M. <McNuttJ at missouri.edu<mailto:McNuttJ at missouri.edu>> wrote:
When this occurs, do you get something in your log that tells you that this is the reason for the auth failure?

Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?

Sent from my mobile device.

On Feb 11, 2014, at 8:52, "inverse" <inverse at ngi.it<mailto:inverse at ngi.it>> wrote:
The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3

Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name.  Authentication failed.
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler

However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section:

if ( "%{outer.request:User-Name}" != "%{User-Name}" ){
                          reject
                        }

which does exactly that. If you see something along these lines, you've found the source of your problems


Best regards,

Inverse



On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng at gmail.com<mailto:douglas.eseng at gmail.com>> wrote:
Encountered the following issue.

Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
"In a sea of glass shards, I hear you screaming"
--icchan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140213/b6db4702/attachment.html>


More information about the Freeradius-Users mailing list