use_tunneled_reply
Locked
 
|
Hi,
Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, and Odyssey Client v4.01 as supplicant. Kept seeing the user as "anonymous" in the WCS management software for the client. Wanted to see the *real* username, meaning the username that was actually authenticated to the backend db (in this case eDirectory). So, in eap.conf I changed use_tunneled_reply to equal yes. Still, replies to NAS show User-Name = "anonymous". Have I missed something? Thanks for the help, mack - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
[hidden email] wrote:
> Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, and > Odyssey Client v4.01 as supplicant. Kept seeing the user > as "anonymous" in the WCS management software for the client. Because that's what the supplicant sends. > So, in eap.conf I changed use_tunneled_reply to equal yes. Still, > replies to NAS show User-Name = "anonymous". Have I missed > something? Run the server in debugging mode to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by ragan_davis
Thanks for the reply. The supplicant indeed sends "anonymous" as
outer, but also sends "novelluser" as inner. So, I think I understand that the AP/NAS can't see the inner as the request is on it's way to the radius....so at that point, all it knows is "anonymous". However, according to the comment in eap.conf (v1.0.2): "The reply attributes sent to the NAS are usually based on the name of the user 'outside' of the tunnel (usually 'anonymous'). If you want to send the reply attributes based on the user name inside of the tunnel, then set this configuration entry to 'yes', and the reply to the NAS will be taken from the reply to the tunneled request." This leads a dunce like me to believe that radius will send a reply back to AP/NAS that has User-Name equaling "novelluser", rather than "anonymous". I looked in the debug output (radiusd -A -X, right?). I think this is what I am supposed to look for: Sending Access-Accept of id 247 to 192.168.3.2:1024 MS-MPPE-Recv-Key = 0x17c9701998d6ad7ee94b37819449c3cb0ebd9804c5de36c141a1509816dc6d71 MS-MPPE-Send-Key = 0xff1226efbfd249e76d3a502c43cc2ca5a95a5a38e9bd0829ca6ba34fe089696a EAP-Message = 0x03040004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Before seeing this, my suspicion was that the NAS might somehow be ignoring the new value for User-Name, but it seems it's receiving exactly what radius is sending it. I thought the magical "use_tunneled_reply" setting was supposed to fix this? Am I understanding what "use_tunneled_reply" is actually supposed to do? Thanks for the patience and the advice. later, mack ----- Original Message ----- From: Alan DeKok <[hidden email]> Date: Friday, June 17, 2005 1:23 pm Subject: Re: use_tunneled_reply > [hidden email] wrote: > > Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, > and > > Odyssey Client v4.01 as supplicant. Kept seeing the user > > as "anonymous" in the WCS management software for the client. > > Because that's what the supplicant sends. > > > So, in eap.conf I changed use_tunneled_reply to equal yes. Still, > > replies to NAS show User-Name = "anonymous". Have I missed > > something? > > Run the server in debugging mode to see what's going on. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
[hidden email] wrote:
> This leads a dunce like me to believe that radius will send a reply > back to AP/NAS that has User-Name equaling "novelluser", rather > than "anonymous". Did you set "User-Name = novelluser" in the *reply* for the tunneled session? You can verify that, independent of EAP, but using "radtest" with the name & password of the tunneled user. > I looked in the debug output (radiusd -A -X, right?). I think this is > what I am supposed to look for: Look at the REST of the debug output. It tells you what the reply is in the tunnel, and what it's copying back to the outer session. Please, when you're reading the debug log, do MORE than just look at the last few lines. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by ragan_davis
----- Original Message -----
From: Alan DeKok <[hidden email]> Date: Saturday, June 18, 2005 11:46 am Subject: Re: use_tunneled_reply > [hidden email] wrote: > > This leads a dunce like me to believe that radius will send a > reply > > back to AP/NAS that has User-Name equaling "novelluser", rather > > than "anonymous". > > Did you set "User-Name = novelluser" in the *reply* for the tunneled > session? Hmmmm...I did not explicitly do this. How to? > > You can verify that, independent of EAP, but using "radtest" with > the name & password of the tunneled user. I'm testing this now, but don't see the same "Access-Accept" message in the debug output. Guess I'm still missing something. > > > I looked in the debug output (radiusd -A -X, right?). I think > this is > > what I am supposed to look for: > > Look at the REST of the debug output. It tells you what the reply > is in the tunnel, and what it's copying back to the outer session. > > Please, when you're reading the debug log, do MORE than just look at > the last few lines. Will do. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by ragan_davis
Hi,
> > You can verify that, independent of EAP, but using "radtest" with > > the name & password of the tunneled user. > > I'm testing this now, but don't see the same "Access-Accept" message in > the debug output. Guess I'm still missing something. Keep in mind that contrary to the "normal" RADIUS protocols where you just send a request and get an answer, EAP protocols are rather involved beasts, exchanging several packets between client and server before you get the final answer. Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by ragan_davis
-[hidden email] wrote:
> > Did you set "User-Name = novelluser" in the *reply* for the tunneled > > session? > > Hmmmm...I did not explicitly do this. How to? Set it as a reply attribute? user blah-blah = blah User-Name = `%{User-Name}` > > You can verify that, independent of EAP, but using "radtest" with > > the name & password of the tunneled user. > > I'm testing this now, but don't see the same "Access-Accept" message in > the debug output. Guess I'm still missing something. You will see the INNER TUNNEL Access-Accept. The reply attributes in that Access accept are the ones which will be copied to the outer tunnel, when TTLS is used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by ragan_davis
Ahh, I see. Based on the syntax you used it looks like I'd do this
using local users file. However, I'm using edirectory for the user db. I have seen in the debug output where radius is checking for any reply items in the directory. Maybe I could use radiusReplyItem as an attribute in edir with a value "User-Name = ${User-Name}"? thanks, mack ----- Original Message ----- From: Alan DeKok <[hidden email]> Date: Saturday, June 18, 2005 4:21 pm Subject: Re: use_tunneled_reply > -[hidden email] wrote: > > > Did you set "User-Name = novelluser" in the *reply* for the > tunneled> > session? > > > > Hmmmm...I did not explicitly do this. How to? > > Set it as a reply attribute? > > user blah-blah = blah > User-Name = `%{User-Name}` > > > > You can verify that, independent of EAP, but using "radtest" > > > the name & password of the tunneled user. > > > > I'm testing this now, but don't see the same "Access-Accept" > message in > > the debug output. Guess I'm still missing something. > > You will see the INNER TUNNEL Access-Accept. The reply attributes > in that Access accept are the ones which will be copied to the outer > tunnel, when TTLS is used. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
[hidden email] wrote:
> Maybe I could use radiusReplyItem as an > attribute in edir with a value "User-Name = ${User-Name}"? That should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
«
Return to Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |