eap module returning 'updated' rather than 'ok'
Brian Candler
b.candler at pobox.com
Thu Oct 20 15:33:31 CEST 2016
I have an issue with inner versus outer identities. I can demonstrate
this with the stock freeradius 3.0.12 config; just uncomment the "bob"
and "steve" entries. I have also set "use_tunneled_reply = yes" in
raddb/mods-available/eap (in both places)
Now I create a config for eapol_test (from wpa_supplicant package) like
this:
----
#
# eapol_test -c peap-mschapv2.conf -s testing123
#
network={
ssid="Cityfibre Admin"
key_mgmt=WPA-EAP
eap=PEAP
identity="bob"
anonymous_identity="steve"
password="hello"
phase2="autheap=MSCHAPV2"
#
# Uncomment the following to perform server certificate
validation.
# ca_cert="/etc/raddb/certs/ca.der"
}
----
Note how I've chosen "steve" as the anonymous identity. What happens is
that is in the second Access-Challenge response, steve's attributes are
returned:
(0) Received Access-Request Id 0 from 127.0.0.1:49950 to 127.0.0.1:1812
length 118
(0) User-Name = "steve"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) EAP-Message = 0x0200000a017374657665
(0) Message-Authenticator = 0xc31453b2556c5c5767691b67d9d1b1b8
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "steve", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x74107434741170f2
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:49950
length 0
(0) EAP-Message = 0x0101001604103936abba88e393e0bfbb63a6f9636887
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x74107434741170f2f863cec79136ac13
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 127.0.0.1:49950 to 127.0.0.1:1812
length 132
(1) User-Name = "steve"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x020100060319
(1) State = 0x74107434741170f2f863cec79136ac13
(1) Message-Authenticator = 0xbf4a7b7d48c99b11a68c98a2af96b7b6
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "steve", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry steve at line 73
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x74107434741170f2
(1) eap: Finished EAP session with state 0x74107434741170f2
(1) eap: Previous EAP request found for state 0x74107434741170f2,
released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: Flushing SSL sessions (of #0)
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x7410743475126df2
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:49950
length 0
*(1) Service-Type = Framed-User**
**(1) Framed-Protocol = PPP**
**(1) Framed-IP-Address = 172.16.3.33**
**(1) Framed-IP-Netmask = 255.255.255.0**
**(1) Framed-Routing = Broadcast-Listen**
**(1) Framed-Filter-Id = "std.ppp"**
**(1) Framed-MTU = 1500**
**(1) Framed-Compression = Van-Jacobson-TCP-IP**
*(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7410743475126df2f863cec79136ac13
(1) Finished request
It's clearly wrong to return steve's authorization attributes, since
we've not authenticated at all (and certainly not as steve) - although
since this only an Access-Challenge, hopefully the NAS will ignore
them. The EAP exchange does complete successfully.
My other concern is that it does an unnecessary database lookup for
"steve" - actually the live config which started this investigation is
an LDAP one, which is how I noticed this.
Now, the default site has in its authorize section:
eap {
ok = return
}
But at this step we're getting "updated". So it looks like it would be
reasonable to change this to:
eap {
ok = return
updated = return
}
... and this does seem to work. But I wonder why it's done this way in
the default config. Is this a mistake, or this there some subtle point I
am missing? Under what circumstances does rlm_eap return "updated"
instead of "ok"? I want to be sure that there's no security impact by
dropping out of the authorize section at this point, for example if
someone uses a non-tunneled version of EAP like EAP-TLS or EAP-PWD.
Thanks,
Brian.
More information about the Freeradius-Users
mailing list