PEAP-MSCHAPv2 and anonymous outer identity - can't understand passing inner username to outer tunnel
Samuel Walker-Kierluk
samwalkerkierluk at me.com
Tue May 3 16:52:56 UTC 2022
Hi all,
I’ve got FreeRADIUS handling our “eduroam” needs at my university. Users from outside our realms are proxied to the national eduroam proxies, and users matching our realms are handled locally:
-Authentication: PEAP-MSCHAPv2 authentication (using ntlm_auth) against our Active Directory domain controllers
-Post-Auth in outer server file: for users of our own realm and on our own campus’s network, I use a few “if” statements (one based on a username pattern, another based on an LDAP-Group lookup of Stripped-User-Name) to send the VLAN ID to the access point.
This works wonderfully when using the same inner and outer identity, but after I set up anonymous outer identities on my clients, the VLAN ID assignment in the post-auth section doesn’t work properly, as it uses the outer identity “anonymous” instead of the username from the inner tunnel.
I’ve spent about a day and a half working on this, going through old mailing list posts and the documentation, inserting and removing sections, with no progress being made. It’s clear that I’ve missed some piece of information or misunderstood a critical concept, regarding how to pass the inner identity (hopefully both User-Name and Stripped-User-Name) to the outer post-auth section. (I don’t need the actual Access-Accept message to contain the inner identity, I just need to be able to use it for the VLAN assignment.)
I thought that the “copy_request_to_tunnel” and “use_tunneled_reply” would update at least the User-Name attribute (though not the Stripped-User-Name attribute of the outer tunnel), but even my first “if” statement in my outer-tunnel post-auth section, which uses the User-Name attribute, always receives “anonymous” as the User-Name attribute.
I also tried making a dictionary Attribute for local use (ID between 3000 and 4000, type string), along the lines of “Username-to-use-for-VLAN-assignment”, and having it be set in the inner-tunnel server and accessible to the outer-tunnel server, but I think I’ve misunderstood how this works.
Given the trouble I’m having, I think I’ve missed something that should have been obvious (with more sleep? or more coffee?) and would really appreciate any pointers that might come to mind!
I’ve included below:
—outer-tunnel configuration
—inner-tunnel configuration
—eap module configuration
Does anyone have any advice on what I might have missed, or where to look? Happy to provide a debug. Apologies for anything incomprehensible in the configs… they are put together from a number of different tutorials from GEANT and other online resources, and I am relatively new to RADIUS.
Best,
Samuel
server eduroam {
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
authorize {
if ("%{client:shortname}" !~ /rad[1-2]\.eduroam\.fr/) {
update request {
Operator-Name := "1MYDOMAIN.FR"
}
}
auth_log
suffix
if (Realm == "NULL") {
update request {
&Module-Failure-Message += 'Rejected: Realm is NULL'
}
reject
}
eap
}
authenticate {
# Uniquement le module eap
eap
}
preacct {
suffix
}
accounting {
}
post-auth {
if ("%{client:shortname}" == "campus-wifi") {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-ID := 6 # Unless a user-group check below indicates a different VLAN, user will get VLAN 6, the guest VLAN.
}
if (Realm == "MYDOMAIN.FR") || (Realm == "SECONDARYDOMAIN.FR") {
if (&User-Name =~ /[aA][1234567890][1234567890]*/) { # for User-Name starting with a[1-9]....
update reply {
Tunnel-Private-Group-ID := 17 # Set to student VLAN.
}
}
elsif (LDAP-Group == "CN=Employees,OU=Groups,DC=mydomain,DC=local") { # For staff and faculty...
update reply {
Tunnel-Private-Group-ID := 15 # Set to staff VLAN
}
}
else {
update reply {
Tunnel-Private-Group-ID := 6 # For all users not covered above, set to guest VLAN
}
}
}
}
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
pre-proxy {
pre_proxy_log
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy
}
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
server eduroam-inner-tunnel {
authorize {
auth_log
files # for the eduroam test account
eap
mschap
pap
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
Auth-Type PAP {
pap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
}
}
eap {
# General EAP information
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_file = ${certdir}/myCert.key
certificate_file = ${certdir}/myCert.cer
ca_file = ${cadir}/myCertCA.cer
dh_file = ${certdir}/dh
random_file = /dev/urandom
ca_path = ${cadir}
cipher_list = "DEFAULT at SECLEVEL=1"
ecdh_curve = "prime256v1"
tls_min_version = "1.0"
tls_max_version = "1.2"
cache {
enable = yes
name = example-cache-name # NAME OF CACHE
persist_dir = ${logdir}/tlscache
}
verify {
}
ocsp {
enable = no
}
}
# Declare the EAP methods being used.
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
More information about the Freeradius-Users
mailing list