Copy User-Name from inner-tunnel to default only once

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Copy User-Name from inner-tunnel to default only once

Sven Hartge-5
Hi!

I am sorry for the strange subject but I can't find a shorter description
that still makes some sense.

First: I got this working already in the way I need it but I want to
solicit a maybe more elegant or better solution I may have not seen.

Second: This is for 3.0.21.

Third: This needs a bit of explanation up front before I come to my
question, please bear with me.

What am I doing: I have the usual default/inner-tunnel setup needed for
Wifi+EAP in Eduroam and this all works fine, no problems here.

And I use the "update {  &reply: += &session-state: }" method to copy
specific attributes from the inner-tunnel into the outer one, most
important those to steer the VLAN assignment. This also works nice.

Now here is the wrinkle: To aid the internal accounting I also need to
provide the internal APs and Controllers with the inner-User-Name but not
in requests leaving via the federation servers to Eduroam.

Until recently I had a setup like this:

# inner-tunnel vhost
post-auth {
[...]
  update reply {
          Message-Authenticator !* ANY
          EAP-Message !* ANY
          Proxy-State !* ANY
          MS-MPPE-Encryption-Types !* ANY
          MS-MPPE-Encryption-Policy !* ANY
          MS-MPPE-Send-Key !* ANY
          MS-MPPE-Recv-Key !* ANY
          User-Name !* ANY
  }

  # If internal Wifi system, readd User-Name
  if ("%{client:thmtype}" =~ /^aruba-wlan-/) {
          update reply {
                  &User-Name := &User-Name
          }
  }
[...]
} # /inner-tunnel vhost

"thmtype" is an additional key I add via client.conf for internal systems
needing this. This also works fine.

But this creates reply packages with _two_ User-Name attributes in
Access-Accept, because the "copy from session state" adds the internal
Username to the reply.

But this worked for our Aruba IAPs with Virtual Controller, our Wifi guys
saw the real username in their logs and in the accounting database.

Now we upgraded to Aruba Mobility Controller and they choke on the
duplicate User-Name attribute in the Access-Accept, the device never gets
fully authenticated though the controller clearly receives the
Access-Accept.

To avoid that problem, I now also changed the default VHost to this:

# default vhost
post-auth {
[...]
  # Overwrite User-Name in Reply with inner-tunnel
  # and remove from session-state to avoid duplication
  if ("%{client:thmtype}" =~ /^aruba-wlan-/) {
          update {
                  &reply:User-Name := &session-state:User-Name
                  &session-state:User-Name !* ANY
          }
  }
  # Add rest of inner-tunnel attributes to reply
  update {
          &reply: += &session-state:
  }
[...]
} # /default vhost

This works fine, but after all those many words, the question:

Is there a more elegant or simpler way to achieve this I didn't see?

Grüße,
Sven.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Copy User-Name from inner-tunnel to default only once

Alan Buxey
hi,

> Is there a more elegant or simpler way to achieve this I didn't see?


yes, use a different pair of 'default/inner-tunnel' servers with their
own policies
for eduroam traffic (ie requests that come from the national proxies
and where the
reply is thus sent out to them) -after all, you also dont need to be
checking/settingVLANs
for such requests either

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Copy User-Name from inner-tunnel to default only once

Sven Hartge-5
On 19.11.20 14:17, Alan Buxey wrote:

>> Is there a more elegant or simpler way to achieve this I didn't
>> see?

> yes, use a different pair of 'default/inner-tunnel' servers with
> their own policies for eduroam traffic (ie requests that come from
> the national proxies and where the reply is thus sent out to them)
> -after all, you also dont need to be checking/settingVLANs for such
> requests either

The problem here is not the difference to Eduroam (I filter out the VLAN
attributes at a different stage I didn't show here) but that the default
configuration will create

  reply {
    User-Name = "[hidden email]"
    USer-Name = "[hidden email]"
    [...]
  }

when I keep the inner-tunnel-User-Name in reply.session-state and the
Aruba Mobility Controller don't like this at all.

Splitting out Eduroam into a different pair of vhosts will not solve this.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Copy User-Name from inner-tunnel to default only once

Alan DeKok-2
On Nov 19, 2020, at 8:52 AM, Sven Hartge <[hidden email]> wrote:

> The problem here is not the difference to Eduroam (I filter out the VLAN attributes at a different stage I didn't show here) but that the default configuration will create
>
> reply {
>   User-Name = "[hidden email]"
>   USer-Name = "[hidden email]"
>   [...]
> }
>
> when I keep the inner-tunnel-User-Name in reply.session-state and the Aruba Mobility Controller don't like this at all.
>
> Splitting out Eduroam into a different pair of vhosts will not solve this.

  See the default configuration:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/default#L712

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Copy User-Name from inner-tunnel to default only once

Sven Hartge-5
On 19.11.20 15:01, Alan DeKok wrote:

> On Nov 19, 2020, at 8:52 AM, Sven Hartge <[hidden email]> wrote:
>> The problem here is not the difference to Eduroam (I filter out the VLAN attributes at a different stage I didn't show here) but that the default configuration will create
>>
>> reply {
>>    User-Name = "[hidden email]"
>>    USer-Name = "[hidden email]"
>>    [...]
>> }
>>
>> when I keep the inner-tunnel-User-Name in reply.session-state and the Aruba Mobility Controller don't like this at all.
>>
>> Splitting out Eduroam into a different pair of vhosts will not solve this.
>
>    See the default configuration:
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/default#L712

Ah, very nice. Yes I obviously missed this since that part of my
configuration is from 3.0.17 where this wasn't present.

Now I only need the special case in the inner-tunnel.

Thanks.

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html