eap : Identity does not match User-Name, setting from EAP Identity

Milan Keršláger milan.kerslager at pslib.cz
Thu Feb 12 22:18:01 CET 2015


Dne 12.2.2015 v 21:37 Alan DeKok napsal(a):
> On Feb 12, 2015, at 12:33 PM, Milan Keršláger <milan.kerslager at pslib.cz> wrote:
>> Hello there,
>> I set up CentOS 7 server with package freeradius-3.0.1-6.el7.x86_64 as an upgrade for working setup on ancient computer with CentOS 4 (freeradius-1.1.3). I'm using eduroam-like authentication with SQL backend (Cisco WLC, 802.1X with PEAP and MSCHAPv2). There is no forwarding realms etc, just only one radius server running with minimal changes in the default configuration files.
>
>    Well, you’ve changed enough that it doesn’t work.

You point me to right direction - however it was changed not enough :-(

>> But when the request is coming from my Cisco WLC, the raduis daemon is loosing username during handshake
>
>    The server doesn’t lose the User-Name.
>
>> My changes to default configuration:
>
>    That isn’t necessary.  PLEASE follow the documentation.  We need the debug output, nothing else.
>>
>> rad_recv: Access-Request packet from host 10.199.0.11 port 32768, id=77, length=272
>>     User-Name = 'testuser at domain.com>
>    Which has a domain.
>>
>> (0) suffix : Looking up realm "domain.com" for User-Name = "testuser at domain.com"
>> (0) suffix : Found realm "domain.com"
>> (0) suffix : Adding Stripped-User-Name = "testuser"
>> (0) suffix : Adding Realm = “domain.com"
>
>    You’ve told it to edit the User-Name.  Don’t do that.

It was side-effect of unnecessary proxiing the request to itself.

>> (0) suffix : Proxying request from user testuser to realm domain.com
>> (0) suffix : Preparing to proxy authentication request to realm “domain.com"
>
>    That probably isn’t necessary.

Yes! I read many of your replies here past few days and wished you reply 
back to save me this last night :-)

The default configuration is prepared for failover setup - in my own 
realm section there was "auth_pool = my_auth_failover" which pointed to 
localhost defined few lines above and I decided to not touch it. I was 
wrong here, because I missed the point that this means pxoxiing the 
request too. So I commented out "auth_pool = my_auth_failover" and it 
works now.

I think that in the default configuration, this should be commented out 
by default, because who needs pool should enable it by own hand and 
fight consequences.

>> (0) Proxying request to home server 127.0.0.1 port 1812
>> Sending Access-Request of id 42 from 0.0.0.0 port 1814 to 127.0.0.1 port 1812
>>     User-Name = ‘testuser'
>
>    And the User-Name has been changed.
>
>    The short-term fix is to set “strip = no” in the realm configuration for domain.com.
>
>    The better fix is to not proxy it.  Why are you proxying the request from the server, back to itself, via the loopback interface?  It isn’t necessary.
>
>    Alan DeKok.

Thank you again for your work! (now happy) Milan

-- 
                             Milan Keršláger
                             http://www.pslib.cz/ke/
                             http://www.nti.tul.cz/wiki/Milan.Kerslager


More information about the Freeradius-Users mailing list