use_tunneled_reply

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

use_tunneled_reply

ragan_davis
Hi,

Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, and
Odyssey Client v4.01 as supplicant.  Kept seeing the user
as "anonymous" in the WCS management software for the client.  Wanted
to see the *real* username, meaning the username that was actually
authenticated to the backend db (in this case eDirectory).  So, in
eap.conf I changed use_tunneled_reply to equal yes.  Still, replies to
NAS show User-Name = "anonymous".  Have I missed something?

Thanks for the help,
mack
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

Alan DeKok
[hidden email] wrote:
> Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS, and
> Odyssey Client v4.01 as supplicant.  Kept seeing the user
> as "anonymous" in the WCS management software for the client.

  Because that's what the supplicant sends.

>  So, in eap.conf I changed use_tunneled_reply to equal yes.  Still,
> replies to NAS show User-Name = "anonymous".  Have I missed
> something?

  Run the server in debugging mode to see what's going on.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

ragan_davis
In reply to this post by ragan_davis
Thanks for the reply.  The supplicant indeed sends "anonymous" as
outer, but also sends "novelluser" as inner.  So, I think I understand
that the AP/NAS can't see the inner as the request is on it's way to
the radius....so at that point, all it knows is "anonymous".  However,
according to the comment in eap.conf (v1.0.2):

"The reply attributes sent to the NAS are usually based on the name of
the user 'outside' of the tunnel (usually 'anonymous').  If you want
to send the reply attributes based on the user name inside of the
tunnel, then set this configuration entry to 'yes', and the reply to
the NAS will be taken from the reply to the tunneled request."

This leads a dunce like me to believe that radius will send a reply
back to AP/NAS that has User-Name equaling "novelluser", rather
than "anonymous".

I looked in the debug output (radiusd -A -X, right?).  I think this is
what I am supposed to look for:

Sending Access-Accept of id 247 to 192.168.3.2:1024
        MS-MPPE-Recv-Key =
0x17c9701998d6ad7ee94b37819449c3cb0ebd9804c5de36c141a1509816dc6d71
        MS-MPPE-Send-Key =
0xff1226efbfd249e76d3a502c43cc2ca5a95a5a38e9bd0829ca6ba34fe089696a
        EAP-Message = 0x03040004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "anonymous"

Before seeing this, my suspicion was that the NAS might somehow be
ignoring the new value for User-Name, but it seems it's receiving
exactly what radius is sending it.  I thought the
magical "use_tunneled_reply" setting was supposed to fix this?  Am I
understanding what "use_tunneled_reply" is actually supposed to do?

Thanks for the patience and the advice.

later,
mack


----- Original Message -----
From: Alan DeKok <[hidden email]>
Date: Friday, June 17, 2005 1:23 pm
Subject: Re: use_tunneled_reply

> [hidden email] wrote:
> > Using FreeRADIUS 1.0.2, Cisco/Airespace 4100 WLAN switch as NAS,
> and
> > Odyssey Client v4.01 as supplicant.  Kept seeing the user
> > as "anonymous" in the WCS management software for the client.
>
>  Because that's what the supplicant sends.
>
> >  So, in eap.conf I changed use_tunneled_reply to equal yes.  Still,
> > replies to NAS show User-Name = "anonymous".  Have I missed
> > something?
>
>  Run the server in debugging mode to see what's going on.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

Alan DeKok
[hidden email] wrote:
> This leads a dunce like me to believe that radius will send a reply
> back to AP/NAS that has User-Name equaling "novelluser", rather
> than "anonymous".

  Did you set "User-Name = novelluser" in the *reply* for the tunneled
session?

  You can verify that, independent of EAP, but using "radtest" with
the name & password of the tunneled user.

> I looked in the debug output (radiusd -A -X, right?).  I think this is
> what I am supposed to look for:

  Look at the REST of the debug output.  It tells you what the reply
is in the tunnel, and what it's copying back to the outer session.

 Please, when you're reading the debug log, do MORE than just look at
the last few lines.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

ragan_davis
In reply to this post by ragan_davis
----- Original Message -----
From: Alan DeKok <[hidden email]>
Date: Saturday, June 18, 2005 11:46 am
Subject: Re: use_tunneled_reply

> [hidden email] wrote:
> > This leads a dunce like me to believe that radius will send a
> reply
> > back to AP/NAS that has User-Name equaling "novelluser", rather
> > than "anonymous".
>
>  Did you set "User-Name = novelluser" in the *reply* for the tunneled
> session?

Hmmmm...I did not explicitly do this.  How to?

>
>  You can verify that, independent of EAP, but using "radtest" with
> the name & password of the tunneled user.

I'm testing this now, but don't see the same "Access-Accept" message in
the debug output.  Guess I'm still missing something.

>
> > I looked in the debug output (radiusd -A -X, right?).  I think
> this is
> > what I am supposed to look for:
>
>  Look at the REST of the debug output.  It tells you what the reply
> is in the tunnel, and what it's copying back to the outer session.
>
> Please, when you're reading the debug log, do MORE than just look at
> the last few lines.

Will do.

>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

Stefan.Neis@t-online.de
In reply to this post by ragan_davis
        Hi,

> >  You can verify that, independent of EAP, but using "radtest" with
> > the name & password of the tunneled user.
>  
> I'm testing this now, but don't see the same "Access-Accept" message in
> the debug output.  Guess I'm still missing something.

Keep in mind that contrary to the "normal" RADIUS protocols where you just
send a request and get an answer, EAP protocols are rather involved beasts,
exchanging several packets between client and server before you get the
final answer.

        Regards,
                Stefan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

Alan DeKok
In reply to this post by ragan_davis
-[hidden email] wrote:
> >  Did you set "User-Name = novelluser" in the *reply* for the tunneled
> > session?
>
> Hmmmm...I did not explicitly do this.  How to?

  Set it as a reply attribute?

user  blah-blah = blah
      User-Name = `%{User-Name}`

> >  You can verify that, independent of EAP, but using "radtest" with
> > the name & password of the tunneled user.
>
> I'm testing this now, but don't see the same "Access-Accept" message in
> the debug output.  Guess I'm still missing something.

  You will see the INNER TUNNEL Access-Accept.  The reply attributes
in that Access accept are the ones which will be copied to the outer
tunnel, when TTLS is used.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

ragan_davis
In reply to this post by ragan_davis
Ahh, I see.  Based on the syntax you used it looks like I'd do this
using local users file.  However, I'm using edirectory for the user
db.  I have seen in the debug output where radius is checking for any
reply items in the directory.  Maybe I could use radiusReplyItem as an
attribute in edir with a value "User-Name = ${User-Name}"?

thanks,
mack

----- Original Message -----
From: Alan DeKok <[hidden email]>
Date: Saturday, June 18, 2005 4:21 pm
Subject: Re: use_tunneled_reply

> -[hidden email] wrote:
> > >  Did you set "User-Name = novelluser" in the *reply* for the
> tunneled> > session?
> >
> > Hmmmm...I did not explicitly do this.  How to?
>
>  Set it as a reply attribute?
>
> user  blah-blah = blah
>      User-Name = `%{User-Name}`
>
> > >  You can verify that, independent of EAP, but using "radtest"
with

> > > the name & password of the tunneled user.
> >
> > I'm testing this now, but don't see the same "Access-Accept"
> message in
> > the debug output.  Guess I'm still missing something.
>
>  You will see the INNER TUNNEL Access-Accept.  The reply attributes
> in that Access accept are the ones which will be copied to the outer
> tunnel, when TTLS is used.
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: use_tunneled_reply

Alan DeKok
[hidden email] wrote:
> Maybe I could use radiusReplyItem as an
> attribute in edir with a value "User-Name = ${User-Name}"?

  That should work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html