On 08/19/2014 08:50 PM, Klara Mall wrote: > <AuthBy LDAP2> > Identifier ldap-ad-kit-eap > Include %D/server/KIT-DC-01 > BaseDN dc=kit,dc=edu > Timeout 5 > ServerChecksPassword > UsernameAttr sAMAccountName > PasswordAttr > > EAPType PEAP > EAPTLS_CAFile %D/certificates/chain-kit-ca.pem > EAPTLS_CertificateFile %D/certificates/server.pem > EAPTLS_CertificateType PEM > EAPTLS_MaxFragmentSize 1000 > EAPTLS_PrivateKeyFile %D/certificates/server.key > EAPTLS_PEAPVersion 0 > EAPTLS_PEAPBrokenV1Label > AutoMPPEKeys
Try adding 'EAPAnonymous %u' here. The default value for EAPAnonymous is 'anonymous'. See below for more. > </AuthBy> > BTW: The same setup with EAP-TTLS/PAP is no problem. With TTLS I see that the > checked realm is the one of the inner identity which seams reasonable for me. The first request that gets tunnelled by EAP-TTLS/PAP contains User-Name. This is why you do not see 'anonymous' but the real inner User-Name in the request. > I'm also wondering where User-Name anonymous in the log comes from > as I don't use "anonymous" as anonymous identity here. EAPAnonymous in the outer request sets the value of User-Name attribute in the inner request if the inner request does not have User-Name. EAP-TTLS/PAP does have User-Name, so that's why you see what you expect. PEAP encapsulates inner EAP messages and for these inner EAP requests Radiator creates a message that looks like a RADIUS message. The inner EAP message goes to EAP-Message attribute, a User-Name is created and NAS-IP-Address, NAS-Identifier and Calling-Station-Id are copied from the outer request so that they can be used by the inner AuthBy if needed. If you set EAPAnonymous to %u, the inner User-Name will get its value from the outer User-Name. %0 is special: the inner User-Name will be the EAP Identity which is carried by the first tunnelled request. This also means that the first tunnelled request will have empty User-Name since the identity is not know yet. After the first request has been processed by the inner AuthBy, then the subsequent tunnelled requests will have User-Name with a value; the identity inner EAP uses. > Can you help here? I need this because later I have to expand ntlm_auth with > --require-membership-of= with a variable group name (though I had to patch > radiator for this to work - there will be another email for this :) ). Hopefully the above helps. With %u the users can use anonymous@colubris-test to hide the real username (the inner identity in PEAP/EAP-MSCHAP-V2) but will need to have the correct realm. Note: User-Name allows you to select the correct Handler for the inner request. The inner identity is used to for the authentication. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
