Question about outer identity

[Martin Pauly]

Hi all,

I have 2.1.6 and things basically work. But I just came across a
question about the processing of outer/inner identity:
As I understand it, in case of a non-EAP RADIUS request (eg from my old 
modem servers), there is no tunnel and hence no inner identity.
==> Autz and Auth are done by the default virtual server and governed by
the settings in radiusd.conf and sites-available/default -- right?

In case of an EAP request (we do EAP-TTLS and PEAP-MSCHAPv2), the outer 
identity is simply used as a dummy during Tunnel setup
(Our EAP Clients use anonym...@uni-marburg.de as outer identity).
Nonetheless, freeradius does an LDAP request during Authorization
which, of course, fails with 'notfound'. freeradius then happily
proceeds to do the real authentication with inner-tunnel.
Now I wonder how to avoid that extra LDAP query.

Here's my config (ldap123 refers to a virtual module doing
redundant-load-balance with 3 LDAP servers):

default:
authorize {
        preprocess
        chap
        mschap
        suffix
        eap {
                ok = return
        }
        unix
        files
        ldap123
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        eap
        Auth-Type LDAP {
             ldap123
        }
}

inner-tunnel:
authorize {
        chap
        mschap
        unix
        suffix
        update control {
               Proxy-To-Realm := LOCAL
        }
        eap {
                ok = return
        }
        files
        ldap123
        expiration
        logintime
        pap
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
            ldap123
        }
        eap
}

And here is the (hopefully) relevant part of the
output of freeradius -X:

radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server 
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.75.246 port 1645, 
id=68, length=166
        User-Name = "anonym...@uni-marburg.de"
        Framed-MTU = 1400
        Called-Station-Id = "0013.8011.a1e0"
        Calling-Station-Id = "001b.7720.e19d"
        Service-Type = Login-User
        Message-Authenticator = 0xc8c71b2e61687810d83b54a62fbc0150
        EAP-Message = 
0x0202001d01616e6f6e796d6f757340756e692d6d6172627572672e6465
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 14662
        NAS-IP-Address = 192.168.75.246
        NAS-Identifier = "warz004"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "uni-marburg.de" for User-Name = 
"anonym...@uni-marburg.de"
[suffix] Found realm "uni-marburg.de"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "uni-marburg.de"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 30
[files]         expand: %{User-Name} -> anonym...@uni-marburg.de
++[files] returns ok
++- entering policy ldap123 {...}
+++- entering redundant-load-balance group redundant-load-balance {...}
[ldap3] performing user authorization for anonymous
[ldap3] WARNING: Deprecated conditional expansion ":-".  See "man 
unlang" for details
[ldap3]         expand: 
(&(uid:caseExactMatch:=%{Stripped-User-Name:-%{User-Name}}) 
(!(UniMrDarfRadius=0))) -> (&(uid:caseExactMatch:=anony
mous) (!(UniMrDarfRadius=0)))
[ldap3]         expand: ou=people,ou=Students,ou=Accounts,o=Universitaet 
Marburg,c=DE -> ou=people,ou=Students,ou=Accounts,o=Universitaet M
arburg,c=DE
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to auth3.students.uni-marburg.de:389, authentication 0
rlm_ldap: setting TLS CACert File to 
/etc/ssl/certs/deutsche-telekom-root-ca-2.pem
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as uid=radius,ou=Proxy,o=Universitaet 
Marburg,c=DE/JhkG0iH to auth3.students.uni-marburg.de:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in 
ou=people,ou=Students,ou=Accounts,o=Universitaet Marburg,c=DE, with 
filter (&(uid:caseExactMatch:=anonymous)
 (!(UniMrDarfRadius=0)))
rlm_ldap: object not found
[ldap3] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++++[ldap3] returns notfound
+++- redundant-load-balance group redundant-load-balance returns notfound
++- policy ldap123 returns notfound
++[expiration] returns noop
++[logintime] returns noop


Thanks for any help
Martin

--
  Dr. Martin Pauly     Fax:    49-6421-28-26994
  HRZ Univ. Marburg    Phone:  49-6421-28-23527
  Hans-Meerwein-Str.   E-Mail: pa...@hrz.uni-marburg.de
  D-35032 Marburg 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html