This issue was discussed on the list several months ago, but I haven't
seen any resolution posted.
Recent Broadcom wireless drivers in Dell laptops natively support
EAP-TTLS but do not send an outer User-Name. Apparently the standard
permits this behavior, but it causes EAP authentication to fail on
FreeRADIUS (latest CVS) with the error 'UserIdentity Unknown':
rad_recv: Access-Request packet from host 172.16.83.5:21650, id=100,
length=153
User-Name = ""
Framed-MTU = 1400
Called-Station-Id = "000f.f7a7.bee0"
Calling-Station-Id = "0090.96b6.6fa9"
Cisco-AVPair = "ssid=cwu"
Service-Type = Login-User
Message-Authenticator = 0xfb434f263f2d7616f14bdbca628e665c
EAP-Message = 0x0201000501
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "399"
NAS-Port = 399
NAS-IP-Address = 172.16.83.5
NAS-Identifier = "ap1231-bou-2c-1"
rad_lowerpair: User-Name now ''
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
rlm_eap: EAP packet type response id 1 length 5
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 21
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
Processing the authorize section of radiusd.conf
modcall: entering group Autz-Type for request 4
radius_xlat: 'anonymous'
rlm_attr_rewrite: Added attribute User-Name with value 'anonymous'
modcall[authorize]: module "add-username" returns ok for request 4
modcall: group Autz-Type returns ok for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: UserIdentity Unknown
rlm_eap: Identity Unknown, authentication failed
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Login incorrect: [] (from client ap1231-bou-2c-1 port 399 cli
0090.96b6.6fa9)
As the log indicates, I'm using rlm_attr_rewrite to supply the missing
User-Name, but this seems to occur too late for EAP processing to pick
it up.
relevant portions of users:
# rewrite empty User-Name
DEFAULT User-Name =~ "^$", Autz-Type := rewrite
# avoid LDAP lookup for user outside EAP-TTLS tunnel
anonymous Autz-Type := NULL
# only use SQL for MAC authentication
DEFAULT User-Name =~ "^[0-9a-f]{12}$", Autz-Type := SQL
# LDAP for rest
DEFAULT Autz-Type := LDAP
relevant portions of radiusd.conf:
modules {
...
attr_rewrite add-username {
attribute = User-Name
searchin = packet
searchfor = "^$"
replacewith = "anonymous"
maxmatches = 1
new_attribute = yes
}
...
}
authorize {
preprocess
eap
files
# only use LDAP for authorization when explicity told to
Autz-Type LDAP {
ldap
}
# ditto for SQL (MAC authentication only)
Autz-Type SQL {
sql
}
Autz-Type rewrite {
add-username
}
}
authenticate {
eap
authtype PAP {
pap
}
authtype LDAP {
ldap
}
}
EAP-TTLS works fine if I send any non-empty value for the outer
User-Name, which I can do with other supplicants but not the one in
question. Has anyone solved this problem? From my research, it appears
that configuration directives aren't enough, and changes to the code are
required.
David Hart
Central Washington University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
