Re: EAP anonymous and inner User-name

Fri, 17 Nov 2006 05:32:02 -0800 

Stefan Winter wrote:

Hello,


 I want to provide the possibility of anonymouse EAP, with inner
User-name and password.
If you already successfully used outer = inner identity and it worked, you don't need to change anything. the eap module doesn't care about the User-Name of the outer request, just try it out. 
Hm, but I want to use "anonymus" as the outer username ( for eap) and
my real username for the authentication/authorization.


So I think I have to add the user "annonymous" to the users-file with
Auth-type = EAP, but how do I access the inner User-name, which I need
for authentication/authorization?
The inner request will magically show up after the tunnel has been decoded. It is a new request, and will have its own User-Name attribute. 


Hm, for me it does not work,

my settings:

users-file:
#WLAN-anonymus:
DEFAULT User-Name=~"^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]$", Huntgroup-Name == WLAN 
       Auth-Type:=EAP

# Default-Wlan
DEFAULT Auth-Type = pap, Huntgroup-Name == WLAN

my log:
rad_recv: Access-Request packet from host 131.188.4.190:20003, id=173, length=148 
       NAS-Port-Id = "2059/1"
       Calling-Station-Id = "00-12-17-78-DD-58"
       Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
       Service-Type = Framed-User
       EAP-Message = 0x0
       User-Name = "anonymous"
       NAS-Port-Type = Wireless-802.11
       NAS-Identifier = "Trapeze"
       NAS-IP-Address = 131.188.4.190
       Message-Authenticator = 0x4
Fri Nov 17 12:03:14 2006 : Debug: Processing the authorize section of radiusd.conf Fri Nov 17 12:03:14 2006 : Debug: modcall: entering group authorize for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "preprocess" returns ok for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling auth_log (rlm_detail) for request 0 Fri Nov 17 12:03:14 2006 : Debug: radius_xlat: '/var/log/radius/radacct/131.188.4.190/auth-detail-20061117' Fri Nov 17 12:03:14 2006 : Debug: rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var /log/radius/radacct/131.188.4.190/auth-detail-20061117 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from auth_log (rlm_detail) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "auth_log" returns ok for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "chap" returns noop for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "mschap" returns noop for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: rlm_eap: EAP packet type response id 1 length 14 Fri Nov 17 12:03:14 2006 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "eap" returns updated for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Fri Nov 17 12:03:14 2006 : Debug: users: Matched entry DEFAULT at line 157 
Fri Nov 17 12:03:14 2006 : Debug: radius_xlat:  'anonymous'
Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Fri Nov 17 12:03:14 2006 : Debug: modcall[authorize]: module "files" returns ok for request 0 Fri Nov 17 12:03:14 2006 : Debug: modsingle[authorize]: calling ldap (rlm_ldap) for request 0 
Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: - authorize
Fri Nov 17 12:03:14 2006 : Debug: rlm_ldap: performing user authorization for anonymous 

--> HERE the valid user name is neede:
Fri Nov 17 12:03:14 2006 : Debug: radius_xlat: '(&(fauRadiusService=WLAN)(fauRadiusId=anonymous))' 

any suggestions?

Greetings

 Florian Prester



Greetings,

Stefan Winter
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 


--
Dipl. Inf. Florian Prester
Network Administration
Regionales RechenZentrum Erlangen
Universitaet Erlangen-Nuernberg
Martensstr. 1
91052 Erlangen
Germany

Tel.: +499131 8527813
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to