From: Alan T. DeKok Date: Sun, 27 Dec 2015 02:22:18 +0000 (-0500) Subject: Add policy to check outer / inner tunnel user names X-Git-Tag: release_3_0_11~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df27e5065e7436f2f3f677c9529d965b3d4d9dfb;p=thirdparty%2Ffreeradius-server.git Add policy to check outer / inner tunnel user names They should be compatible as per github issue #1471 --- diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter index 062d375553f..134d2f7a10a 100644 --- a/raddb/policy.d/filter +++ b/raddb/policy.d/filter @@ -109,3 +109,79 @@ filter_password { } } } + +filter_inner_identity { + # + # No names, reject. + # + if (!&outer.request:User-Name || !&User-Name) { + update request { + Module-Failure-Message = "User-Name is required for tunneled authentication" + } + reject + } + + # + # If the names are the same, it's OK. + # + # Otherwise, do lots of sanity checks + # + if (&outer.request:User-Name != &User-Name) { + # + # We require the outer User-Name + # to be "@realm", or "anon...", + # hopefully "anonymous", or "anonymous@realm" + # + # The checks for "anonymous" are more relaxed + # because vendors send a variety of names + # instead of following the standards. + # + if ((&outer.request:User-Name !~ /^@/) && \ + (&outer.request:User-Name !~ /^anon/)) { + update request { + Module-Failure-Message = "User-Name is not correctly anonymized" + } + reject + } + + # + # Now we get complicated. Look for the outer realm + # + if (&outer.request:User-Name =~ /@(.*)$/) { + update request { + Outer-Realm-Name = "%{1}" + } + } + + # + # And the inner realm + # + if (&User-Name =~ /@(.*)$/) { + update request { + Inner-Realm-Name = "%{1}" + } + } + + # + # It's OK to have outer "@example.com" and + # inner "bob". We do more detailed checks + # only if the inner realm exists. + # + # It's OK to have the same realm name, or + # the outer one is "example.com" and the inner + # is "secure.example.com" + # + if (&Inner-Realm-Name && \ + (&Inner-Realm-Name != &Outer-Realm-Name) && \ + (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) { + update request { + Module-Failure-Message = "Inner and outer realms are not compatible" + } + reject + } + + # + # It's OK to have an outer realm and no inner realm. + # + } +} diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index 42b358f5c8e..14df8ab13e6 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -46,6 +46,12 @@ listen { # Make *sure* that 'preprocess' comes before any realm if you # need to setup hints for the remote radius server authorize { + # + # Do checks on outer / inner User-Name, so that users + # can't spoof us by using incompatible identities + # + filter_inner_identity + # # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 29259d0fe43..11f602dab3a 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -306,6 +306,9 @@ ATTRIBUTE EAP-Sim-KC3 1214 octets ATTRIBUTE EAP-Sim-Ki 1215 octets ATTRIBUTE EAP-Sim-Algo-Version 1216 integer +ATTRIBUTE Outer-Realm-Name 1218 string internal +ATTRIBUTE Inner-Realm-Name 1219 string internal + # # Range: 1280 - 1535 # EAP-type specific attributes