The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Jan Tomasek <jan.tomasek AT cesnet.cz>]

Hi Stefan,

I'm sorry, the problem was on my side. Live login test of CAT work just 
fine.

Long story:

I'm using PostSearchHook:

<AuthBy LDAP2>
...
    PostSearchHook          sub { CESNET::check_outer_identity(@_); };
</AuthBy>

sub check_outer_identity {
  my $authByLDAP = shift;
  my $username = shift;
  my $requestPacket = shift;
  my $userObject = shift;

  my $EAPIdentity = $requestPacket->{EAPIdentity};
  my $outerIdentity = $requestPacket->{outerRequest}->{OriginalUserName};

  if (!defined($EAPIdentity) or ($EAPIdentity eq '')) {
    $EAPIdentity = $username.' AT cesnet.cz';
  };

  if ( (defined($EAPIdentity) and defined($outerIdentity)) and
       ($EAPIdentity ne $outerIdentity) and
       ($outerIdentity ne 'anonymous AT cesnet.cz') and
       ($outerIdentity ne 'anonymous AT cesnet.eu') and
       ($outerIdentity !~ /^tnc/) ) {

    &main::log($main::LOG_DEBUG, "User $EAPIdentity/$outerIdentity is 
trying cheat.");
    $userObject->{Check}->change_attr('User-Password',
                                      join('', ('.', '/', 0..9, 
'A'..'Z', 'a'..'z')[rand 64, rand 64]));
    return 0;
  };
};

for some reason in case of test from CAT, there is 
$requestPacket->{EAPIdentity} undefined. This is quite interesting, I'm 
unable to reproduce same problem with rad_eap_test. I need to consult 
CAT source to see how you are doing that test.

Thanks and sorry again
--
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://staff.cesnet.cz/~semik/        Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone: +420 234 680 279               http://www.cesnet.cz/

On 10/26/2018 03:51 PM, Stefan Winter wrote:
> Hello,
>
> according to the screenshot you have entered the .eu variant as inner
> ID. So we send that one inside the tunnel. I don't think you think there
> is anything wrong with that?
>
> Is your issue that you enter the .eu domain also for the *outer* ID, but
> that one is not used, with the .cz variant used instead?
>
> Greetings,
>
> Stefan Winter
>
> Am 26.10.18 um 15:27 schrieb Jan Tomasek:
> > Hello,
> >
> > I wanted to use CAT as entry point for testing our cesnet.eu domain. But
> > despite what I write as inner user name, it forces cesnet.eu. Logs on
> > our RADIUS server:
> >
> > Fri Oct 26 15:11:11 2018: DEBUG: EAP TTLS inner authentication request
> > for semik AT cesnet.eu
> > Fri Oct 26 15:11:11 2018: DEBUG: TTLS Tunnelled Diameter Packet dump:
> > Code:       Access-Request
> > Identifier: UNDEF
> > Authentic:  <8><207><254>IC|<249><160><10><208><133><205>Vz<209>L
> > Attributes:
> >          User-Name = "semik AT cesnet.eu"
> >          MS-CHAP-Challenge = <162>4X`<194>K:N<9><251>:<197>Qwp<133>
> >          MS-CHAP2-Response =
> > w<0><15>lcA<191><231>R3x.<172>H<226>#<168>s<0><0><0><0><0><0><0><0><188>E<154><201><19><8><229>:<169><186><178><132><182>AH<213><191>w<218>r<137>)\<186>
> >
> >
> >
> > Fri Oct 26 15:11:11 2018: DEBUG: User semik AT cesnet.cz/semik AT cesnet.eu is
> > trying cheat.
> >
> > That debug message is thrown by code comparing inner EAP identity
> > (first) and external identity (second).
> >
> >
> > I'm not sure if this is a bug or intentional feature. I want just to
> > inform if it is a bug.
> >
> > Best regards

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature