Two different user-names while using computer authentification with client certificate

uj2.hahn at posteo.de uj2.hahn at posteo.de
Tue Jan 28 15:36:39 CET 2020 

Hi!
I have a question just for my understanding.
I installed a Radius client certificate (RadiusClient) on a Win10 client 
and enabled user authentification
on this WLAN profile. This all works fine.

Just for my education I switched the client WLAN profile to computer (!) 
authentification (instead of user),
just to see what will happen with freeradius.

First thing I saw is:
(7) Received Access-Request Id 152 from 192.168.188.45:37569 to 
192.168.188.50:1812 length 226
(7)   User-Name = "host/RadiusClient"
(7)   NAS-IP-Address = 192.168.1.245
(7)   NAS-Port = 0
(7)   Called-Station-Id = "88-90-8D-42-55-70:ciscosb"

So User-Name changed from RadiusClient to host/RadiusClient which I 
understood.
But later in the same session I saw:


7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - host/DESKTOP-FLOQN5Q
(7) eap_peap: Got inner identity 'host/DESKTOP-FLOQN5Q'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 
0x0207001901686f73742f4445534b544f502d464c4f514e3551
(7) eap_peap: Setting User-Name to host/DESKTOP-FLOQN5Q
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 
0x0207001901686f73742f4445534b544f502d464c4f514e3551
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "host/DESKTOP-FLOQN5Q"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x0207001901686f73742f4445534b544f502d464c4f514e3551
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "host/DESKTOP-FLOQN5Q"

Now the User-Name is the real PC hostname "host/DESKTOP-FLOQN5Q".
So it seems the outer and the inner tunnel see different User-Names.
Is this on intention?
Any chance to have one User-Name only, e.g. the client certificate name: 
RadiusClient.

Thanks
Uwe

More information about the Freeradius-Users mailing list