Anonymous outer identity

Jaume Obrador Vaquer jobrador at lledoner.com
Tue May 31 17:16:25 UTC 2022


Hi, we’ve set up freeradius 3.0 in order to authenticate users through an
LDAP server, also users are assigned different VLAN depending on gidNumber
ldap attribute. We have 2 enabled sites ‘default’ and ‘inner-tunnel’

Those are the relevant parts of our setup:

sites-enabled/default

post-auth {

        if (LDAP-Group == 10000 ) {
                update reply {
                        Service-Type = Framed-User
                        Tunnel-Type = 13
                        Tunnel-Medium-Type = 6
                        Tunnel-Private-Group-ID = 20
                }
        }
        if (LDAP-Group == 10001 ) {
                update reply {
                        Service-Type = Framed-User
                        Tunnel-Type = 13
                        Tunnel-Medium-Type = 6
                        Tunnel-Private-Group-ID = 40
                }
        }

                [….]

}


mods-enabled/ldap

user  {

                […]

                filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))"

                […]

}

I’ve ignored most parts of the configuration because they are mostly
default configuration. This have been working for several years with no
relevant issues, but now we’ve noticed an issue that would like to correct:

Windows clients sends ‘anonymous’ as anonymous identity when connecting to
wifi after wake up, so outer identity is set to ‘anonymous’ and post-auth
section of ‘default’ site gets the outer identity instead of the real one,
so the LDAP search is based on ‘anonymous’, user is not found so no
LDAP-Group, so no correct VLAN is assigned to that client. This also
happens if someone enters “anonymous” as anonymous identity when connecting.

Here’s a Access-Request part of a log ending with Access-Accept, but with
wrong assigned VLAN.


(29) Received Access-Request Id 43 from 192.168.0.19:38666 to
192.168.10.100:1812 length 306
(29)   User-Name = "anonymous"
(29)   NAS-IP-Address = 192.168.0.19
(29)   NAS-Identifier = "fa92bf24addf"
(29)   Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER"
(29)   NAS-Port-Type = Wireless-802.11
(29)   Service-Type = Framed-User
(29)   Calling-Station-Id = "D0-C5-D3-5A-3E-A9"
(29)   Connect-Info = "CONNECT 0Mbps 802.11b"
(29)   Acct-Session-Id = "AFE698CF77042B3D"
(29)   Acct-Multi-Session-Id = "7A7B1A2476F7F9DE"
(29)   WLAN-Pairwise-Cipher = 1027076
(29)   WLAN-Group-Cipher = 1027076
(29)   WLAN-AKM-Suite = 1027073
(29)   Framed-MTU = 1400
(29)   EAP-Message =
0x021e004b158000000041170303003c00000000000000010eb9490a83ceab9db4773eec8b6ebf9a98789e9d07b5f4c3a2653bd425ea8133893eedba6b2e0e5050f6987735a41ba601545c91
(29)   State = 0x8492598d818c4c92471f232c19036cae
(29)   Message-Authenticator = 0x4c9003e6cc19547d42d86a1df23d1a76
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29)   authorize {
(29)     policy filter_username {
(29)       if (&User-Name) {
(29)       if (&User-Name)  -> TRUE
(29)       if (&User-Name)  {
(29)         if (&User-Name =~ / /) {
(29)         if (&User-Name =~ / /)  -> FALSE
(29)         if (&User-Name =~ /@[^@]*@/ ) {
(29)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(29)         if (&User-Name =~ /\.\./ ) {
(29)         if (&User-Name =~ /\.\./ )  -> FALSE
(29)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(29)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(29)         if (&User-Name =~ /\.$/)  {
(29)         if (&User-Name =~ /\.$/)   -> FALSE
(29)         if (&User-Name =~ /@\./)  {
(29)         if (&User-Name =~ /@\./)   -> FALSE
(29)       } # if (&User-Name)  = notfound
(29)     } # policy filter_username = notfound
(29)     [preprocess] = ok
(29)     [chap] = noop
(29)     [mschap] = noop
(29)     [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(29) suffix: No such realm "NULL"
(29)     [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 30 length 75
(29) eap: Continuing tunnel setup
(29)     [eap] = ok
(29)   } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29)   authenticate {
(29) eap: Expiring EAP session with state 0x8492598d818c4c92
(29) eap: Finished EAP session with state 0x8492598d818c4c92
(29) eap: Previous EAP request found for state 0x8492598d818c4c92, released
from the list
(29) eap: Peer sent packet with method EAP TTLS (21)
(29) eap: Calling submodule eap_ttls to process data
(29) eap_ttls: Authenticate
(29) eap_ttls: Continuing EAP-TLS
(29) eap_ttls: Peer indicated complete TLS record size will be 65 bytes
(29) eap_ttls: Got complete TLS record (65 bytes)
(29) eap_ttls: [eaptls verify] = length included
(29) eap_ttls: [eaptls process] = ok
(29) eap_ttls: Session established.  Proceeding to decode tunneled
attributes
(29) eap_ttls: Got tunneled request
(29) eap_ttls:   User-Name = "mroig"
(29) eap_ttls:   User-Password = “******”
(29) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(29) eap_ttls: Sending tunneled request
(29) Virtual server inner-tunnel received request
(29)   User-Name = "mroig"
(29)   User-Password = “******”
(29)   FreeRADIUS-Proxied-To = 127.0.0.1
(29)   NAS-IP-Address = 192.168.0.19
(29)   NAS-Identifier = "fa92bf24addf"
(29)   Called-Station-Id = "FA-92-BF-24-AD-DF:LLEDONER"
(29)   NAS-Port-Type = Wireless-802.11
(29)   Service-Type = Framed-User
(29)   Calling-Station-Id = "D0-C5-D3-5A-3E-A9"
(29)   Connect-Info = "CONNECT 0Mbps 802.11b"
(29)   Acct-Session-Id = "AFE698CF77042B3D"
(29)   Acct-Multi-Session-Id = "7A7B1A2476F7F9DE"
(29)   WLAN-Pairwise-Cipher = 1027076
(29)   WLAN-Group-Cipher = 1027076
(29)   WLAN-AKM-Suite = 1027073
(29)   Framed-MTU = 1400
(29)   Event-Timestamp = "May 26 2022 09:44:29 CEST"
(29) server inner-tunnel {
(29)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29)     authorize {
(29)       policy filter_username {
(29)         if (&User-Name) {
(29)         if (&User-Name)  -> TRUE
(29)         if (&User-Name)  {
(29)           if (&User-Name =~ / /) {
(29)           if (&User-Name =~ / /)  -> FALSE
(29)           if (&User-Name =~ /@[^@]*@/ ) {
(29)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(29)           if (&User-Name =~ /\.\./ ) {
(29)           if (&User-Name =~ /\.\./ )  -> FALSE
(29)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(29)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(29)           if (&User-Name =~ /\.$/)  {
(29)           if (&User-Name =~ /\.$/)   -> FALSE
(29)           if (&User-Name =~ /@\./)  {
(29)           if (&User-Name =~ /@\./)   -> FALSE
(29)         } # if (&User-Name)  = notfound
(29)       } # policy filter_username = notfound
(29)       [chap] = noop
(29)       [mschap] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "mroig", looking up realm NULL
(29) suffix: No such realm "NULL"
(29)       [suffix] = noop
(29)       update control {
(29)         &Proxy-To-Realm := LOCAL
(29)       } # update control = noop
(29) eap: No EAP-Message, not doing EAP
(29)       [eap] = noop
(29)       [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(29) ldap: EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29) ldap:    --> (&(uid=mroig)(|(businessCategory=1)(businessCategory=2)))
(29) ldap: Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=mroig)(|(businessCategory=1)(businessCategory=2)))", scope
"sub"
(29) ldap: Waiting for search result...
(29) ldap: User object found at DN
"uid=mroig,ou=Gent,ou=lledoner,dc=nigul,dc=coop"
(29) ldap: Processing user attributes
(29) ldap: control:NT-Password :=
0x4431443741394445383432423837443141333545433343363734323637323033
rlm_ldap (ldap): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(29)       [ldap] = updated
(29)       if (noop && User-Password) {
(29)       if (noop && User-Password)  -> FALSE
(29)       [expiration] = noop
(29)       [logintime] = noop
(29) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(29)       [pap] = updated
(29)     } # authorize = updated
(29)   Found Auth-Type = PAP
(29)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29)     Auth-Type PAP {
(29) pap: Login attempt with password
(29) pap: Comparing with "known-good" NT-Password
(29) pap: User authenticated successfully
(29)       [pap] = ok
(29)     } # Auth-Type PAP = ok
(29)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(29)     post-auth {
(29)       if (0) {
(29)       if (0)  -> FALSE
(29)     } # post-auth = noop
(29) } # server inner-tunnel
(29) Virtual server sending reply
(29) eap_ttls: Got tunneled Access-Accept
(29) eap: Sending EAP Success (code 3) ID 30 length 4
(29) eap: Freeing handler
(29)     [eap] = ok
(29)   } # authenticate = ok
(29) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(29)   post-auth {
(29)     if (LDAP-Group == 10000 ) {
(29)     Searching for user in group "10000"
rlm_ldap (ldap): Reserved connection (3)
(29)     EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29)        -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29)     Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29)     Waiting for search result...
(29)     Search returned no results
rlm_ldap (ldap): Released connection (3)
(29)     if (LDAP-Group == 10000 )  -> FALSE
(29)     if (LDAP-Group == 10001 ) {
(29)     Searching for user in group "10001"
rlm_ldap (ldap): Reserved connection (4)
(29)     EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29)        -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29)     Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29)     Waiting for search result...
(29)     Search returned no results
rlm_ldap (ldap): Released connection (4)
(29)     if (LDAP-Group == 10001 )  -> FALSE
(29)     if (LDAP-Group == 10032 ) {
(29)     Searching for user in group "10032"
rlm_ldap (ldap): Reserved connection (0)
(29)     EXPAND
(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(|(businessCategory=1)(businessCategory=2)))
(29)        -->
(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))
(29)     Performing search in "ou=Gent,ou=lledoner,dc=nigul,dc=coop" with
filter "(&(uid=anonymous)(|(businessCategory=1)(businessCategory=2)))",
scope "sub"
(29)     Waiting for search result...
(29)     Search returned no results
rlm_ldap (ldap): Released connection (0)
(29)     if (LDAP-Group == 10032 )  -> FALSE
(29)     update {
(29)       No attributes updated
(29)     } # update = noop
(29)     [exec] = noop
(29)     policy remove_reply_message_if_eap {
(29)       if (&reply:EAP-Message && &reply:Reply-Message) {
(29)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(29)       else {
(29)         [noop] = noop
(29)       } # else = noop
(29)     } # policy remove_reply_message_if_eap = noop
(29)   } # post-auth = noop
(29) Sent Access-Accept Id 43 from 192.168.10.100:1812 to 192.168.0.19:38666
length 0
(29)   MS-MPPE-Recv-Key =
0x9d69d88a6eec283428461d5b448a1895c01d1f9fabd804b184bc0e435328efad
(29)   MS-MPPE-Send-Key =
0x097545e078f9a72d69f885fa90ee1b65e7d0016fcf04a8f87281cf9242240f42
(29)   EAP-Message = 0x031e0004
(29)   Message-Authenticator = 0x00000000000000000000000000000000
(29)   User-Name = "anonymous"
(29) Finished request



With a little research I’ve found several places that discusses this
matter, but none one them offers a solution for us. What we tried is:

In sites-enabled/inner-tunnel we set if (0) to if (1) here:

        #  Instead of "use_tunneled_reply", change this "if (0)" to an
        #  "if (1)".
        #
        if (1) {
                #
                #  These attributes are for the inner-tunnel only,
                #  and MUST NOT be copied to the outer reply.
                #
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                }

                #
                #  Copy the inner reply attributes to the outer
                #  session-state list.  The post-auth policy will take
                #  care of copying the outer session-state list to the
                #  outer reply.
                #
                update {
                        &outer.session-state: += &reply:
                }
        }

This didn’t solve the issue.

Also tried to add in same section post-auth:

       udate reply {
               User-Name := &request:User-Name
       }

Neither solved the issue.



So, as you see, we need a little help to make freeradius use the real
identity every time it does the LDAP search to get the correct gidNumber,
so we can assign the correct VLAN to the client.

Thanks a lot.

-- 

*Informació sobre protecció de dades: El responsable del tractament de les 
dades personals del destinatari és el remitent de la present comunicació. 
Aquestes dades són tractades per a la satisfacció del nostre interès 
legítim per a la gestió de contactes i el manteniment de comunicacions 
recíproques per qüestions derivades de la nostra activitat. Aquestes dades 
seran conservades mentre siguin útils per a la finalitat indicada, i, en 
tot cas, durant els terminis legals i per al temps necessari per atendre a 
possibles responsabilitats nascudes del tractament. Els interessats tenen 
dret a sol·licitar l'accés a les seves dades personals, la seva 
rectificació, supressió o portabilitat, la limitació del seu tractament, a 
oposar-se al tractament, així com a presentar una reclamació davant una 
autoritat de control.*
_Aquest missatge i els seus documents adjunts són 
confidencials. Si vostè no és el destinatari, per favor posi-ho en 
coneixement del remitent i elimini aquesta comunicació i els documents 
adjunts del seu sistema, sense reproduir ni comunicar els seus continguts. 
La transmissió de correu electrònic no garanteix que sigui segur o lliure 
d'error, per la qual cosa, declinem qualsevol responsabilitat sobre aquest 
tema._


More information about the Freeradius-Users mailing list