eap : Identity does not match User-Name, setting from EAP Identity

[Alan DeKok]

On Feb 12, 2015, at 12:33 PM, Milan Keršláger <milan.kerslager at pslib.cz> wrote:
> Hello there,
> I set up CentOS 7 server with package freeradius-3.0.1-6.el7.x86_64 as an upgrade for working setup on ancient computer with CentOS 4 (freeradius-1.1.3). I'm using eduroam-like authentication with SQL backend (Cisco WLC, 802.1X with PEAP and MSCHAPv2). There is no forwarding realms etc, just only one radius server running with minimal changes in the default configuration files.

  Well, you’ve changed enough that it doesn’t work.

> But when the request is coming from my Cisco WLC, the raduis daemon is loosing username during handshake

  The server doesn’t lose the User-Name.

> My changes to default configuration:

  That isn’t necessary.  PLEASE follow the documentation.  We need the debug output, nothing else.
> 
> rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77, length=272
>    User-Name = 'testuser at domain.com’

  Which has a domain.
> 
> (0) suffix : Looking up realm "domain.com" for User-Name = "testuser at domain.com"
> (0) suffix : Found realm "domain.com"
> (0) suffix : Adding Stripped-User-Name = "testuser"
> (0) suffix : Adding Realm = “domain.com"

  You’ve told it to edit the User-Name.  Don’t do that.

> (0) suffix : Proxying request from user testuser to realm domain.com
> (0) suffix : Preparing to proxy authentication request to realm “domain.com"

  That probably isn’t necessary.
> 
> (0) Proxying request to home server 127.0.0.1 port 1812
> Sending Access-Request of id 42 from 0.0.0.0 port 1814 to 127.0.0.1 port 1812
>    User-Name = ‘testuser'

  And the User-Name has been changed.

  The short-term fix is to set “strip = no” in the realm configuration for domain.com.

  The better fix is to not proxy it.  Why are you proxying the request from the server, back to itself, via the loopback interface?  It isn’t necessary.

  Alan DeKok.