This really sounds like a fundamental design problem ("problem" used
lightly in this case) in EAP-TTLS. The only UserID that the NAS (Access
Point) knows about is the one sent to the initial EAP-Identity request.
After the intial tunnel is setup, the second (true) EAP-Identity request
is sent inside the tunnel, to which the AP (by design) has no way to
decrypt. Therefore, for accounting requests originating from the AP,
the username attribute will *always* be anonymous (or whatever dummy
identity the TTLS client sends). Also, you will alway see the same
UserID show up in the AP itself. That's all it knows about. EAP is
designed to be transparent to the NAS itself. The only reason it has a
username at all is the original identity request.
The only way I can see to get around this problem easily is to, after
the fact, correlate the authentication logs with another attribute in
the accounting requests. CallingStationID is the best one that comes to
mind right off the bat, since this should be unique to the session.
Not an easy problem to solve, but one of the design philosphies of TTLS
was to give that extra measure of security by hiding the identity of the
user authenticating from potential snoopers.
It would be nice if there were a way to feed the true username to the AP
after the full EAP-TTLS conversation has completed, like an attribute in
the final Access-Accept response from the RADIUS server. To my
knowledge, however, there are no mechanisms for this in the standards,
and this would require firmware upgrades on the access points.
--Mike
On Sat, 2003-09-20 at 13:08, Phil Flores wrote:
> Kudos to the FreeRadius team for their commitment to improving an
> already solid package!
>
> I have recently implemented TTLS on my test network using the CVS
> Snapshot from 9/19. TTLS is enabled along with MySQL. Connected to
> the radius is a Colubris CN3000 with 802.1x enabled. On my XP
> machine, I'm using the Alfa & Aris TTLS client.
>
> Outer Authentcation uses 'anonymous', inner uses '[EMAIL PROTECTED]' via
> pap. My question is about accounting. On the radius server, I only
> have UserID '1xtest' and not 'anonymous'. radiusd -X -A does show the
> anonymous auth enabling the tunnel, and it shows that '1xtest' is
> being sent through it, however what I see in my accounting log is
> '[EMAIL PROTECTED]' for the UserID. Further, in my CN3000 I see
> that the UserID listed under current sessions is also 'anonymous'. I
> have enabled the following in radiusd.conf, thinking that it would
> affect what would be displayed in the radacct table:
>
> ttls {
> . . . .
> # The tunneled authentication request does
> # not usually contain useful attributes
> # like 'Calling-Station-Id', etc. These
> # attributes are outside of the tunnel,
> # and normally unavailable to the tunneled
> # authentication request.
> #
> # By setting this configuration entry to
> # 'yes', any attribute which NOT in the
> # tunneled authentication request, but
> # which IS available outside of the tunnel,
> # is copied to the tunneled request.
> #
> # allowed values: {no, yes}
> copy_request_to_tunnel = no
>
> # The reply attributes sent to the NAS are
> # usually based on the name of the user
> # 'outside' of the tunnel (usually
> # 'anonymous'). If you want to send the
> # reply attributes based on the user name
> # inside of the tunnel, then set this
> # configuration entry to 'yes', and the reply
> # to the NAS will be taken from the reply to
> # the tunneled request.
> #
> # allowed values: {no, yes}
> use_tunneled_reply =
> yes
>
> }
>
> Is there a way to log the UserID of the Inner auth into accounting?
>
>
>
> Thanks in advance,
>
> --Phil
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
