How does CUI works? How does anonymous works? Im lost

Daniel Guimaraes Pena daniel.pena at mpdft.mp.br
Wed Jun 24 15:01:08 CEST 2020


Hi all,

I'm facing hard times trying to understand how radius auth Works. Every time I think I understood, a new problem appears and mass with my head.

Reading files, I saw that inner tunnel username can be different from outer username due to privacy. But, in those cases, outer username must be an anonymous username, otherwise, it might be spoofing.

What happens in my logs is NOT anonymous. Some devices (always android) send username as a number and for inner-tunnel, the real username. One problem is that this number is different for each user, but it never change, like user01, his number will always be the same for him, but differs from user02. So, I cant use filter username.

So, searching e-mails, I found some update outer.reply stuff (and some other things) to put in post-auth, but had no success.

So, until now, I have this (real usernames):
User joao.bosco will connect to wifi, so he enables wifi in his device.
Then, the first request come with this username: User-Name = "321457" (and for him, always the same)
So, freeradius goes on, create inner tunnel and his real username appears:
(224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(224) sql:    --> joao.bosco
(224) sql: SQL-User-Name set to 'joao.bosco'
(224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(224) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(224) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL

Here, it checks for simultaneous sessions. This part is ok.
Then, freeradius goes on, and things I found in my searches appears to work (outer.reply stuff):
(224)       update outer.reply {
(224)         User-Name := &request:User-Name -> 'joao.bosco'
(224)       } # update outer.reply = noop
(224)     } # post-auth = ok
(224)   Login OK: [joao.bosco] (from client AP-CEI-TER-221 port 0 via TLS tunnel)
(224) } # server inner-tunnel
(224) Virtual server sending reply
(224)   Idle-Timeout = 300
(224)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224)   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224)   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224)   EAP-Message = 0x03cb0004
(224)   Message-Authenticator = 0x00000000000000000000000000000000
(224*******)   User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply code 2
(224) eap_peap:   Idle-Timeout = 300
(224) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap:   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap:   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap:   EAP-Message = 0x03cb0004
(224) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap:   User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply RADIUS code 2
(224) eap_peap:   Idle-Timeout = 300
(224) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap:   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap:   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap:   EAP-Message = 0x03cb0004
(224) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap:   User-Name = "joao.bosco"
(224) eap_peap: Tunneled authentication was successful
(224) eap_peap: SUCCESS
(224) eap: Sending EAP Request (code 1) ID 204 length 46
(224) eap: EAP session adding &reply:State = 0x2899acb82055b5bd
(224)     [eap] = handled
(224)   } # authenticate = handled
(224) Using Post-Auth-Type Challenge
(224) Post-Auth-Type sub-section not found.  Ignoring.
(224) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(224) Sent Access-Challenge Id 127 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(224*********)   User-Name := "joao.bosco"
(224)   EAP-Message = 0x01cc002e1900170303002307a25f0b393cc4df3f654be203d74fbcdd1ec936ebbbb6fdba3e8867a9583c5f6677bc
(224)   Message-Authenticator = 0x00000000000000000000000000000000
(224)   State = 0x2899acb82055b5bdee6ad9f73e1a7846

Those ******** show what I think is the right consequence for outer.reply.

Continuing, next packet, the number is back:
(225) Received Access-Request Id 128 from 10.34.87.221:44442 to 10.34.242.3:1812 length 313
(225)   User-Name = "321457"

Then, it executes post-auth in name of 321457, inserting into DB wrong username:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(225)   post-auth {
(225)     update {
(225)       No attributes updated
(225)     } # update = noop
(225) sql: EXPAND .query
(225) sql:    --> .query
(225) sql: Using query template 'query'
(225) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(225) sql:    --> 321457
(225) sql: SQL-User-Name set to '321457'
(225) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(225) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: SQL query returned: success
(225) sql: 1 record(s) updated
(225)     [sql] = ok
(225)     [exec] = noop
(225)     policy remove_reply_message_if_eap {
(225)       if (&reply:EAP-Message && &reply:Reply-Message) {
(225)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(225)       else {
(225)         [noop] = noop
(225)       } # else = noop
(225)     } # policy remove_reply_message_if_eap = noop
(225)   } # post-auth = ok
(225) Login OK: [321457] (from client AP-CEI-TER-221 port 0 cli 70-FD-46-BE-0D-8A)

This part:
(225)   post-auth {
(225)     update {
(225)       No attributes updated
(225)     } # update = noop
I thought put something here to update username... but then: "from where could I pick the right one?" No clue.
And here comes the Access-Accept:
(225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(225)   MS-MPPE-Recv-Key = 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593
(225)   MS-MPPE-Send-Key = 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa
(225)   EAP-Message = 0x03cc0004
(225)   Message-Authenticator = 0x00000000000000000000000000000000
(225)   User-Name = "321457"
Wrong username again.


And, for the last, Account-Request:
(236) Received Accounting-Request Id 129 from 10.34.87.221:37992 to 10.34.242.3:1813 length 247
(236)   Acct-Status-Type = Start
(236)   Acct-Authentic = RADIUS
(236)   User-Name = "321457"

That send to line-log this: Connect: [321457] (did 74-DA-88-ED-D3-32:MPDFT cli 70-FD-46-BE-0D-8A port  ip 172.28.255.182)
And insert into radacct this:
(236) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('74da88edd332-203B18825AE31355', '2e382eabcf5b705081c1d8cdbbb1d876', '321457', NULLIF('', ''), '10.34.87.221', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593000292), TO_TIMESTAMP(1593000292), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(236) sql: SQL query returned: success
(236) sql: 1 record(s) updated

Well, with this scenario, everything works fine for 321457. I have queries that closes stalled sessions, etc... but, I don't know the real username, AND, simultaneous user will never work, since its checking the real username... I cant call accounting queries from inner-tunnel...


In another e-mail, somebody told me to use CUI. I read all documentation, but I simply did not understand. What it will do? I need to register at radacct the real username...

It appears that the more a read, the less I understand... I have android and I don't even know how to configure it to create this scenario with 2 different usernames ...













More information about the Freeradius-Users mailing list