'Re: How does CUI works? How does anonymous works? Im lost'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: How does CUI works? How does anonymous works? Im lost
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-06-24 13:13:14
Message-ID: 2D3454FD-8C64-42C1-8EA2-DEA57B260F1A () deployingradius ! com
[Download RAW message or body]

On Jun 24, 2020, at 9:01 AM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
> I'm facing hard times trying to understand how radius auth Works. Every time I \
> think I understood, a new problem appears and mass with my head.

  It's very complex.  There are many, many, moving parts to RADIUS authentication.

  There's a lot of explanation on our corporate site:  \
https://networkradius.com/freeradius-documentation/

  We're also working on updating the main FreeRADIUS site with lots more \
documentation.

> Reading files, I saw that inner tunnel username can be different from outer \
> username due to privacy. But, in those cases, outer username must be an anonymous \
> username, otherwise, it might be spoofing.

  Yes.  That's the recommendation.  But not everyone does that.

> What happens in my logs is NOT anonymous. Some devices (always android) send \
> username as a number and for inner-tunnel, the real username. One problem is that \
> this number is different for each user, but it never change, like user01, his \
> number will always be the same for him, but differs from user02. So, I cant use \
> filter username.

  Then you don't have rules which depend on the outer name.  The rules should depend \
on the inner name.

> So, searching e-mails, I found some update outer.reply stuff (and some other \
> things) to put in post-auth, but had no success.

  What does that mean?  "I tried stuff and it didn't work".

> So, until now, I have this (real usernames):
> User joao.bosco will connect to wifi, so he enables wifi in his device.
> Then, the first request come with this username: User-Name = "321457" (and for him, \
> always the same) So, freeradius goes on, create inner tunnel and his real username \
> appears:

  Not quite "create".  It's set up via a TLS connection.  The users machine sends the \
inner tunnel data to FreeRADIUS.

> (224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
> (224) sql:    --> joao.bosco
> (224) sql: SQL-User-Name set to 'joao.bosco'
> (224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE \
> UserName='%{SQL-User-Name}' AND \
> CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL \
> (224) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE \
> UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS \
> NULL (224) sql: Executing select query: SELECT COUNT(distinct callingstationid) \
> FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' \
> AND AcctStopTime IS NULL 
> Here, it checks for simultaneous sessions. This part is ok.

   OK...

> Then, freeradius goes on, and things I found in my searches appears to work \
> (outer.reply stuff): (224)       update outer.reply {
> (224)         User-Name := &request:User-Name -> 'joao.bosco'
> (224)       } # update outer.reply = noop
> (224)     } # post-auth = ok

   You should probably instead do:

	update outer.state {
		User-Name := &request:User-Name 
	}

  Which means "track the user name across multiple packets".  When you do "update \
outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may \
be many packets later.

> This part:
> (225)   post-auth {
> (225)     update {
> (225)       No attributes updated
> (225)     } # update = noop
> I thought put something here to update username... but then: "from where could I \
> pick the right one?" No clue.

  Is that the *outer* post-auth section?

  You should read sites-enabled/default, and look for "TTLS and PEAP" in the \
post-auth section.  The comments there are for exactly this situation.

  If you don't have those comments, upgrade to the most recent version of the server. \
Or, look on GitHub for the default configuration.

> And here comes the Access-Accept:
> (225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length \
> 0 (225)   MS-MPPE-Recv-Key = \
> 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593 (225)   \
> MS-MPPE-Send-Key = \
> 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa (225)   \
> EAP-Message = 0x03cc0004 (225)   Message-Authenticator = \
> 0x00000000000000000000000000000000 (225)   User-Name = "321457"
> Wrong username again.

  Yes.  Because the debug log shows the User-Name being sent in an earlier \
Access-Challenge.

> In another e-mail, somebody told me to use CUI. I read all documentation, but I \
> simply did not understand. What it will do? I need to register at radacct the real \
> username...

  Don't bother with CUI.

> It appears that the more a read, the less I understand... I have android and I \
> don't even know how to configure it to create this scenario with 2 different \
> usernames ...

  Most third-party web sites are confusing or wrong.  Much advice about FreeRADIUS is \
confusing or wrong.

  The FreeRADIUS documentation, wiki, and the corporate site above are correct. And \
even pretty clear most of the time.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic