[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: How does CUI works? How does anonymous works? Im lost
From: Alan DeKok <aland () deployingradius ! com>
Date: 2020-06-24 13:13:14
Message-ID: 2D3454FD-8C64-42C1-8EA2-DEA57B260F1A () deployingradius ! com
[Download RAW message or body]
On Jun 24, 2020, at 9:01 AM, Daniel Guimaraes Pena <daniel.pena@mpdft.mp.br> wrote:
> I'm facing hard times trying to understand how radius auth Works. Every time I \
> think I understood, a new problem appears and mass with my head.
It's very complex. There are many, many, moving parts to RADIUS authentication.
There's a lot of explanation on our corporate site: \
https://networkradius.com/freeradius-documentation/
We're also working on updating the main FreeRADIUS site with lots more \
documentation.
> Reading files, I saw that inner tunnel username can be different from outer \
> username due to privacy. But, in those cases, outer username must be an anonymous \
> username, otherwise, it might be spoofing.
Yes. That's the recommendation. But not everyone does that.
> What happens in my logs is NOT anonymous. Some devices (always android) send \
> username as a number and for inner-tunnel, the real username. One problem is that \
> this number is different for each user, but it never change, like user01, his \
> number will always be the same for him, but differs from user02. So, I cant use \
> filter username.
Then you don't have rules which depend on the outer name. The rules should depend \
on the inner name.
> So, searching e-mails, I found some update outer.reply stuff (and some other \
> things) to put in post-auth, but had no success.
What does that mean? "I tried stuff and it didn't work".
> So, until now, I have this (real usernames):
> User joao.bosco will connect to wifi, so he enables wifi in his device.
> Then, the first request come with this username: User-Name = "321457" (and for him, \
> always the same) So, freeradius goes on, create inner tunnel and his real username \
> appears:
Not quite "create". It's set up via a TLS connection. The users machine sends the \
inner tunnel data to FreeRADIUS.
> (224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
> (224) sql: --> joao.bosco
> (224) sql: SQL-User-Name set to 'joao.bosco'
> (224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE \
> UserName='%{SQL-User-Name}' AND \
> CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL \
> (224) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE \
> UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS \
> NULL (224) sql: Executing select query: SELECT COUNT(distinct callingstationid) \
> FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' \
> AND AcctStopTime IS NULL
> Here, it checks for simultaneous sessions. This part is ok.
OK...
> Then, freeradius goes on, and things I found in my searches appears to work \
> (outer.reply stuff): (224) update outer.reply {
> (224) User-Name := &request:User-Name -> 'joao.bosco'
> (224) } # update outer.reply = noop
> (224) } # post-auth = ok
You should probably instead do:
update outer.state {
User-Name := &request:User-Name
}
Which means "track the user name across multiple packets". When you do "update \
outer.reply", it just updates *this* reply. Not the final Access-Accept, which may \
be many packets later.
> This part:
> (225) post-auth {
> (225) update {
> (225) No attributes updated
> (225) } # update = noop
> I thought put something here to update username... but then: "from where could I \
> pick the right one?" No clue.
Is that the *outer* post-auth section?
You should read sites-enabled/default, and look for "TTLS and PEAP" in the \
post-auth section. The comments there are for exactly this situation.
If you don't have those comments, upgrade to the most recent version of the server. \
Or, look on GitHub for the default configuration.
> And here comes the Access-Accept:
> (225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length \
> 0 (225) MS-MPPE-Recv-Key = \
> 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593 (225) \
> MS-MPPE-Send-Key = \
> 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa (225) \
> EAP-Message = 0x03cc0004 (225) Message-Authenticator = \
> 0x00000000000000000000000000000000 (225) User-Name = "321457"
> Wrong username again.
Yes. Because the debug log shows the User-Name being sent in an earlier \
Access-Challenge.
> In another e-mail, somebody told me to use CUI. I read all documentation, but I \
> simply did not understand. What it will do? I need to register at radacct the real \
> username...
Don't bother with CUI.
> It appears that the more a read, the less I understand... I have android and I \
> don't even know how to configure it to create this scenario with 2 different \
> usernames ...
Most third-party web sites are confusing or wrong. Much advice about FreeRADIUS is \
confusing or wrong.
The FreeRADIUS documentation, wiki, and the corporate site above are correct. And \
even pretty clear most of the time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic