Re: Authorize/authenticate with LDAP

[Arran Cudbard-Bell]

Thierry CHICH wrote:
Le mercredi 16 janvier 2008, Alan DeKok a écrit :
  
Thierry CHICH wrote:
    
I have an access-point, and I want use EAP/TTLS in order to authenticate
people on my LDAP server. The first time, I had then something like that:
      
...
    
in my intel proset, if I am giving a false identity in my roaming profile
with a good identity and a good password, it is working. The
authorization step doesn't work as I want. The most important problem is
that the accounting is using my roaming profile.
      
  Yes.  The outer identity is often "anonymous", and does not matter for
authentication.

  If you set the User-Name in the Access-Accept, the NAS *should* use
that name for accounting, and not the name from the outer identity.
    

Thanks for your answer. I am happy to see that it is not totally weird.

But what can I do in order to "set the User-Name in the Access-Accept" ?

When I watch the logs, I see the following events

First, all is going well :

rlm_ldap: user GOOD.NAME authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 6
modcall: leaving group LDAP (returns ok) for request 6
radius_xlat:  '[EMAIL PROTECTED] vous allez acceder en INTERNE au 
Rectorat de Clermont-Ferrand'
  TTLS: Got tunneled reply RADIUS code 2
        Reply-Message = "[EMAIL PROTECTED] vous allez acceder en 
INTERNE au Rectorat de Clermont-Ferrand"
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6

But after that good beginning, I come back to the FAKE.NAME I have written as 
my outer identity :

radius_xlat:  '[EMAIL PROTECTED] vous allez acceder en INTERNE au 
Rectorat de Clermont-Ferrand'
Sending Access-Accept of id 13 to 172.30.87.66 port 3689
        Reply-Message = "[EMAIL PROTECTED] vous allez acceder en 
INTERNE au Rectorat de Clermont-Ferrand"
        MS-MPPE-Recv-Key = 
0x0c447e72b7c080648ded12ab5990dd20dc9832c2b9a78bf1630fa5fcdac41633
        MS-MPPE-Send-Key = 
0x1dd7d8cf377ebc9b47b2cddb290b95aa61140f4fe13d69e52f4102426d3c25ae
        EAP-Message = 0x030d0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "FAKE.NAME"
 






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
What version of FR are you running ?

--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html