EAP/PEAP and tunneled identity

Wed, 06 Apr 2005 06:36:42 -0700 

First off, let me say that I'm still a little confused about PEAP and
tunneled identities, so if a quick reply saying I need to do more research
is appropriate, don't hesitate to do so.


Here is my situation...

I have a FreeRADIUS server set up to do 802.1X authentication for a
wireless network. Recently I have come across a 802.1X client (the Belkin
wireless card driver) that lets you enter two usernames. The first username
is logged by the access point as the currently logged in user, but is not
validated by a password. The second username has a corresponding password
field and is used to authenticate the session.


I performed a test using "MrBean" as the first username, and "georget" as
the second username. For the password, I used georget's password. "MrBean"
is not a valid username, but it doesn't seem to matter.

I found the following using the FreeRadius debug output...


rad_recv: Access-Request packet from host 153.42.176.10:32872, id=213,
length=111
        User-Name = "MrBean"
        NAS-IP-Address = 153.42.176.10
        NAS-Port = 1
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "001150148C4A"
        Called-Station-Id = "000B86503EB0"
        Framed-MTU = 1100
        EAP-Message = 0x0201000b014d724265616e
        Message-Authenticator = 0x937bd2da9b4ad132ee37951e4d42604b

...

  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Identity - georget
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled identity of georget
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to georget

...

  PEAP: Tunneled authentication was successful.
  rlm_eap_peap: SUCCESS

...

Sending Access-Accept of id 222 to 153.42.176.10:32872
        MS-MPPE-Recv-Key =
0x962f53dc4a8e2fdb757b0e57aa24a171e1ddb5229553f3c78e1ef7e3859f3fbc
        MS-MPPE-Send-Key =
0x5864d69780d39a1aaa0b7338d39f26eee22542fc577bd9ecd04706b40bcbcd66
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "MrBean"


So I can see that FreeRadius is using georget to authenticate and authorize
the access request, but the wireless access point is only seeing "MrBean."
Is there a way to ensure both usernames match? I.e. is there any way to
configure EAP/PEAP to reject a request if the tunneled identity does not
match the user-name attribute of the original request?


Jason Long
Messiah College


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to