How to Reject Anonymous Identity

Discussion:

Selahattin Cilek

2018-11-02 16:08:32 UTC

I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users. I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.

I already have a MySQL stored procedure named "is_login_allowed" that
checks if a user is in a locked state or not and I use it like this in
the *authorize* section of the *default*, *inner-tunnel-ttls*,
*inner-tunnel-peap* sites:

authorize{
    if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) {
        reject
    }

}

Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.

What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?

authorize{

if("%{outer.request.UserName}" != "%{inner.request.UserName}"){

    reject

    }

}

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org

Alan DeKok

2018-11-02 16:15:33 UTC

Permalink

Post by Selahattin Cilek
I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users.

What do you mean by anonymous users?

The normal operation is to only authenticate *known* users. Everyone else is unknown, and un-authenticated.

Post by Selahattin Cilek
I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.

Perhaps there's debug output you could share...

Post by Selahattin Cilek
Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.

The default *is* to reject unknown users. So if your system is allowing unknown users, then it's because of local changes you made to allow that.

Post by Selahattin Cilek
What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?

If you could describe in more detail what you're doing, we could help.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htm

Selahattin Cilek

2018-11-02 16:49:01 UTC

Permalink

On 2.11.2018 19:15, Alan DeKok wrote:

On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <***@hotmail.com><mailto:***@hotmail.com> wrote:

I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users.

What do you mean by anonymous users?

"Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:

Nov 2 19:44:32 radiusd 65078 Login OK: [anonymous] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF)
Nov 2 19:44:32 radiusd 65078 Login OK: [60643462528] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF via TLS tunnel)

This user is using anonymous identity.

The normal operation is to only authenticate *known* users. Everyone else is unknown, and un-authenticated.

Yes, of course, obviously. But the problem is that the user can hide his true user name in the outer request.

I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.

Perhaps there's debug output you could share...

I did not want to deluge the message with debug output since this is not about an error I am getting. I just want to improve my configuration a little bit.

Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.

The default *is* to reject unknown users. So if your system is allowing unknown users, then it's because of local changes you made to allow that.

Yes, but a user can choose to supply another false user name in the outer request, can't he?

What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?

If you could describe in more detail what you're doing, we could help.

I want to check if a user is using anonymous identity and reject access to him in the FreeRADIUS configuration, that is, without the help of MySQL. Something like: If he is using anonymous identity, do not let him in.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Loading Image...

]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
-
List info/subscribe/unsubscribe? See http://www.freeradiu

Scott Armitage

2018-11-02 16:54:35 UTC

Permalink

Post by Selahattin Cilek
I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users.
What do you mean by anonymous users?
Nov 2 19:44:32 radiusd 65078 Login OK: [anonymous] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF)
Nov 2 19:44:32 radiusd 65078 Login OK: [60643462528] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF via TLS tunnel)
This user is using anonymous identity.
The normal operation is to only authenticate *known* users. Everyone else is unknown, and un-authenticated.
Yes, of course, obviously. But the problem is that the user can hide his true user name in the outer request.

Thats kind of the point of the outer identity. Changing this will prevent clients from authenticating.

Post by Selahattin Cilek
Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.
The default *is* to reject unknown users. So if your system is allowing unknown users, then it's because of local changes you made to allow that.
Yes, but a user can choose to supply another false user name in the outer request, can't he?

The outer identity isnât used to authenticate the user. The inner identity is.

Regards

Scott Armitage

Alan DeKok

2018-11-02 17:02:50 UTC

Permalink

OK. I understand all that. Given the vagueness of the message, I wasn't sure what *you* meant by it.

... But the problem is that the user can hide his true user name in the outer request.

That's sort of the point of the anonymous outer identity.

Yes, but a user can choose to supply another false user name in the outer request, can't he?

Which is why you only authenticate the user via the *inner* identity.

I want to check if a user is using anonymous identity and reject access to him in the FreeRADIUS configuration, that is, without the help of MySQL. Something like: If he is using anonymous identity, do not let him in.

Just look for the anonymous identity in the outer session. This is why we tell people to read the debug output. It *tells you* what's going on.

In sites-enabled/default, do:

authorize {
...
if (User-Name =~ /^anom/) {
reject
}

...
}

Though the user can just change the outer identity to anything else.

The question here is why do you care what the outer identity is? All of the default configuration uses the inner identity for authenticating users.

Again, the default configuration *works*. If you've done something to allow weird things, then it's due to your local changes. Don't do that...

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.ht

Selahattin Cilek

2018-11-02 17:32:34 UTC

Permalink

Post by Alan DeKok
OK. I understand all that. Given the vagueness of the message, I wasn't sure what *you* meant by it.

... But the problem is that the user can hide his true user name in the outer request.

That's sort of the point of the anonymous outer identity.

Yes, but a user can choose to supply another false user name in the outer request, can't he?

Which is why you only authenticate the user via the *inner* identity.

Just look for the anonymous identity in the outer session. This is why we tell people to read the debug output. It *tells you* what's going on.
authorize {
...
if (User-Name =~ /^anom/) {
reject
}
...
}
Though the user can just change the outer identity to anything else.

So Is the MySQL stored procedure approach is my best option? Is there
not a way to check the inner identity against the outer identity?

Post by Alan DeKok
The question here is why do you care what the outer identity is? All of the default configuration uses the inner identity for authenticating users.
Again, the default configuration *works*. If you've done something to allow weird things, then it's due to your local changes. Don't do that...

I do care because:
1. The Unifi APs that are employed on the site sometimes allow multiple
access from laptops to the network despite that fact that
"Simultaneous-Use" is set to "1" for every user in the database and I
suspect that is somehow connected with the cursed anonymous identity. To
illustrate, some users can first log in on their Android phones and then
leave the laptop open, which tries to log in again and again and some
time later, somehow, are connected to the network. As if that is not
enough, I receive no accounting packets for the laptop. There is one
particular user that confessed to once having downloaded 150GBs a night
from his laptop. He does that almost every night. My goal is to
distribute the connectivity and fairly as possible.
2. The Unifi APs do not know what is going on the FreeRADIUS server and
send back accounting packages that contain lines like "User-Name:
anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
attribute to circumvent this problem. I do not want to have to
circumvent anything. I want everything to be correct and in place.
3. This is a public and *FREE* network. The users do not have the luxury
of remaining anonymous. If they want to remain anonymous, they can buy
one of those LTE packages.

Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u

Alan DeKok

2018-11-02 17:49:55 UTC

Permalink

Post by Selahattin Cilek
So Is the MySQL stored procedure approach is my best option? Is there
not a way to check the inner identity against the outer identity?

Yes. See raddb/policy.d/filter

Or, run the server in debug mode as suggested everywhere... you will see it compare inner to outer identity.

Post by Selahattin Cilek
1. The Unifi APs that are employed on the site sometimes allow multiple
access from laptops to the network despite that fact that
"Simultaneous-Use" is set to "1" for every user in the database and I
suspect that is somehow connected with the cursed anonymous identity.

Don't *suspect*. Run the server in debug mode, and *learn*.

Trying random things to "fix" a problem is just a waste of time. You need to *understand* what it's doing, and how the configuration works. That lets you come up with a solution.

Post by Selahattin Cilek
To
illustrate, some users can first log in on their Android phones and then
leave the laptop open, which tries to log in again and again and some
time later, somehow, are connected to the network. As if that is not
enough, I receive no accounting packets for the laptop.

Simultaneous-Use need accounting packets...

If you go to the Wiki and search for "Simultaneous-Use", you'll see a FAQ entry which says this.

Post by Selahattin Cilek
There is one
particular user that confessed to once having downloaded 150GBs a night
from his laptop. He does that almost every night. My goal is to
distribute the connectivity and fairly as possible.

Then fix the NAS so that it sends accounting packets.

No amount of poking FreeRADIUS will magically have it know what the users doing. Especially if the NAS isn't sending accounting packets.

Post by Selahattin Cilek
2. The Unifi APs do not know what is going on the FreeRADIUS server and
anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
attribute to circumvent this problem.

Which is why the default config sends the *inner* username in the Access-Accept. The NAS is *supposed* to use this User-Name in all accounting packets.

If you use Class, you can just set "Class" to the inner User-Name.

Or even better, reject *all* users where the outer User-Name is not the same as the outer User-Name,

Again, running the server in debug mode and *reading* the output will tell you exactly how to do this.

Post by Selahattin Cilek
I do not want to have to
circumvent anything. I want everything to be correct and in place.
3. This is a public and *FREE* network. The users do not have the luxury
of remaining anonymous. If they want to remain anonymous, they can buy
one of those LTE packages.

99% of what you want to do is documented either in the Wiki or is visible in the debug output.

It just takes *reading* the debug output. And not trying random things. That's a waste of time.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org

Alan Buxey

2018-11-02 18:37:53 UTC

Permalink

Umm

You are authenticating them , so you see their inner username and thus what
ever they have in their outerid is of no consequence.

Let them use whatever in their outerid as it's the innerid that matters and
what you use for policies

For simultaneous use checks the server, by default, will be using
accounting info , this you need to send info back to the NAS that can be
used in the accounting sessions and policy designed around

But you say this is a free network... What is wrong with a user having a
phone and a laptop? It's pretty common these days for a user to have 2 (or
more!) devices *and* user experience/expectations is to be able to use them
all (in fact, they may have to, doing eg something on their phone but then
having to get their laptop out to complete the task )

alan

Post by Alan DeKok

Post by Selahattin Cilek
So Is the MySQL stored procedure approach is my best option? Is there
not a way to check the inner identity against the outer identity?

Yes. See raddb/policy.d/filter
Or, run the server in debug mode as suggested everywhere... you will
see it compare inner to outer identity.

Don't *suspect*. Run the server in debug mode, and *learn*.
Trying random things to "fix" a problem is just a waste of time. You
need to *understand* what it's doing, and how the configuration works.
That lets you come up with a solution.

Simultaneous-Use need accounting packets...
If you go to the Wiki and search for "Simultaneous-Use", you'll see a
FAQ entry which says this.

Then fix the NAS so that it sends accounting packets.
No amount of poking FreeRADIUS will magically have it know what the
users doing. Especially if the NAS isn't sending accounting packets.

Which is why the default config sends the *inner* username in the
Access-Accept. The NAS is *supposed* to use this User-Name in all
accounting packets.
If you use Class, you can just set "Class" to the inner User-Name.
Or even better, reject *all* users where the outer User-Name is not the
same as the outer User-Name,
Again, running the server in debug mode and *reading* the output will
tell you exactly how to do this.

99% of what you want to do is documented either in the Wiki or is
visible in the debug output.
It just takes *reading* the debug output. And not trying random
things. That's a waste of time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/u

Hans-Christian Esperer

2018-11-02 19:07:41 UTC

Permalink

Hi,

[...]

Unifi APs always use a NAS-Port of 0 (instead of using a unique value) in all
accounting packets. I've reported this to the vendor but haven't gotten any
response so far.

When using radutmp to keep all current sessions, newer sessions delete old ones
because the tuple(AP,NAS-Port) is the primary key... radutmp in turn is used
for the Simultaneous-Use thing. (unless you use sql)

Cheers
HC
-
List info/subscribe/unsubscribe? See http://www.freeradius

Continue reading on narkive:

Search results for 'How to Reject Anonymous Identity' (Questions and Answers)

replies

Will TOR and VPN protect my identity?

started 2016-02-03 18:21:53 UTC

security

replies

How to make an anonymous group?

started 2017-02-01 11:34:55 UTC

books & authors

replies

So apparently there are "many atheists" here who have "serious doubts about their atheism" according to one honest but Anonymous poster?