Re: vlan + ldap

Wed, 16 Feb 2005 06:03:16 -0800 

Alan DeKok a �crit :

REMY Lionel <[EMAIL PROTECTED]> wrote:


I use freeradius 1.0.1 to authenticate wireless users with EAP-TTLS or PEAP against an LDAP backend.



 No.  LDAP is a database, not an authentication server.  LDAP
supplies a clear-text password, and FreeRADIUS does EAP
authentication.



It works... but with some conditions. The NAS put the user in the good vlan if the vlan reply items are _outside_ the TLS tunnel.



 Yes... the NAS can't see inside the TLS tunnel.



So I have to put the same User-Name in the request inside _and_ outside the tunnel to take effect because the option "use_tunneled_reply" in eap.conf doesn't work with PEAP.



 Hmm... that may be a bug.



And it is a security problem : If I know a valid User-Name authorized to acces another vlan, I can authenticate with my credentials but puting that valid User-Name outside the tunnel permits me to access the vlan attached to this User-Name.



 Sounds like a problem.



My question is : How can I solve this problem ?



 Fix the PEAP module so "use_tunneled_reply" works.

 When the code was written, it was tested & verified to work.  It
*doesn't* work when the tunneled session is proxied to another server.

 Alan DeKok.


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




In fact, "use_tunneled_reply" works with PEAP when I put the same User-Name inside and outside the tunnel but create an error if I put different User-Name :

 rlm_eap: Request found, released from the list
rlm_eap: Identity does not match User-Name.  Authentication failed.
 rlm_eap: Failed in handler

But using the option "use_tunneled_reply" in eap-TTLS doesn't solve my problem of 'vlan stealing' because the Access-Accept looks like this :

Sending Access-Accept of id 106 to 130.120.72.240:21645
Tunnel-Private-Group-Id:0 = "Personnel"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "Etudiant"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
MS-MPPE-Recv-Key = 0x18670f0b4afee475cdad5059c42deb55f3e21a7df625f240f566de8b577ef97e
MS-MPPE-Send-Key = 0x7c5f2b88ae6c3280e2c121d52a5f721d03c23ae2e4e88b61cb555abfc519e81b
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "persotest"
Finished request 4

And of course, it is the wrong vlan that is considered by the access point :(

Is there a solution to that problem, manipulating attributes ?

Regards,
REMY Lionel

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to