-------- Original Message --------
Subject: Re: Problem by Anonymous Identity.
Date: Mon, 16 Jul 2012 18:07:46 -0400
From: guillermo <[email protected]>
To: [email protected]
Thanks Phil for your quick response:
I tell you I did what you recommended, and the response in the access-accept
travel with the original user, or with the user authenticating against LDAP,
HOWEVER the accounting process is registering with the name specified in the
option Anonymous identity 802.1X of my client.
The user is valid and the anonymous identity gwilliam is lolooooo, here
is a log of the two processes, the process of authentication and
accounting, as you can see in the accounting process that registers the
user is specified as anonymous user identity. I hope you understand all
this mess.
----------------------------------------
UTENTICATION PROCESS
----------------------------------------
Sending Access-Accept of id 144 to 172.18.3.1 port 1812
User-Name = "gwilliam"
MS-MPPE-Recv-Key =
0x2d7f52eebec0c11ab59987210fb00e3fb2c65de7562bd7f350787496f25295a4
MS-MPPE-Send-Key =
0x20907496a507061a2397283b24d6dbdf50096fb12110ec2d5838132f41244ed8
EAP-Message = 0x034b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 65.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 58 ID 137 with timestamp +6938
Cleaning up request 59 ID 138 with timestamp +6938
Cleaning up request 60 ID 139 with timestamp +6938
Cleaning up request 61 ID 140 with timestamp +6938
----------------------------------------
ACCOUNTING PROCESS
----------------------------------------
rad_recv: Accounting-Request packet from host 172.18.3.1 port 1812, id=42,
length=296
User-Name = "lolooooo"
NAS-Port = 12292
Framed-IP-Address = X.X.X.X
NAS-Identifier = "NN1-Doc-04(S5300)"
Acct-Status-Type = Interim-Update
Acct-Delay-Time = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Session-Id = "NN1-Doc000030000000045d8560000046"
Acct-Authentic = RADIUS
Acct-Session-Time = 16
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = "Jul 16 2012 18:15:07 EDT"
NAS-Port-Type = Ethernet
Calling-Station-Id = "XXXX XXXX XXXX"
NAS-Port-Id = "slot=0;subslot=0;port=3;vlanid=4"
Huawei-IPHost-Addr = "XXXXXXXX XXXXXXXX"
Huawei-Input-Burst-Size = 0
Huawei-Input-Average-Rate = 0
Huawei-Output-Burst-Size = 0
Huawei-Output-Average-Rate = 0
Huawei-Priority = 4294901760
Huawei-Connect-ID = 46
NAS-IP-Address = 172.18.3.1
+- entering group preacct {...}
++[preprocess] returns ok
++? if (reply:User-Name =~ /^(.+)@(.+)$/)
(Attribute reply:User-Name was not found)
++? elsif (reply:User-Name)
? Evaluating (reply:User-Name) -> FALSE
++? elsif (reply:User-Name) -> FALSE
++- entering else else {...}
expand: %{User-Name} -> lolooooo
+++[reply] returns ok
++- else else returns ok
[acct_unique] Hashing 'NAS-Port = 12292,Client-IP-Address = 172.18.3.1,NAS-IP-Address =
172.18.3.1,Acct-Session-Id = "NN1-Doc000030000000045d8560000046",User-Name =
"lolooooo"'
[acct_unique] Acct-Unique-Session-ID = "0f129f7be1f9064a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "lolooooo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] expand: %t -> Mon Jul 16 18:10:18 2012
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/freeradius/radutmp ->
/var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> lolooooo
++[radutmp] returns ok
[sradutmp] expand: /var/log/freeradius/sradutmp ->
/var/log/freeradius/sradutmp
[sradutmp] expand: %{User-Name} -> lolooooo
++[sradutmp] returns ok
[sql] expand: %{User-Name} -> lolooooo
[sql] sql_set_user escaped user --> 'lolooooo'
[sql] expand: %{Acct-Input-Gigawords} -> 0
[sql] expand: %{Acct-Input-Octets} -> 0
[sql] expand: %{Acct-Output-Gigawords} -> 0
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: UPDATE radacct SET framedipaddress =
'%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}',
acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}'<< 32 |
'%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'<<
32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid =
'%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress =
'%{NAS-IP-Address}' -> UPDATE radacct SET framedipaddress =
'10.3.9.110', acctsessiontime = '16', acctinputoctets = '0'<< 32
| '0', acctoutputoctets = '0'<< 32 |
'0' WHERE acctsessionid = 'NN1-Doc000030000000045d8560000046'
AND username = 'lolooooo'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++? if (noop)
? Evaluating (noop) -> FALSE
++? if (noop) -> FALSE
[attr_filter.accounting_response] expand: %{User-Name} -> lolooooo
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 42 to 172.18.3.1 port 1812
Finished request 2.
Cleaning up request 2 ID 42 with timestamp +28
Going to the next request
Ready to process requests.
On 07/16/2012 12:19 PM, Phil Mayers wrote:
On 16/07/12 16:57, guillermo wrote:
Hello friends:
I wanted to help me solve a problem on my server freeradius criteria. To
the point, what I need is to deny the use by clients of the option
Anonymous Identity, for in the accounting server I recorded this and not
This is a bad idea. But, if you really want to do this:
authorize {
...
if (User-Name =~ /^@/) {
reject
}
...
}
the actual user hindering Trace connectnios.
Much better is to fix your RADIUS server so that it puts the correct
User-Name in the REPLY, and your NAS should (if it complies with the
RFCs) then use that User-Name in accounting packets.
The EAP methods should do this automatically, however you might have
problems if you are doing EAP-TTLS/PAP or EAP-TTLS/MSCHAP because the
inner method is not EAP.
We do this:
sites-enabled/inner-tunnel:
post-auth {
if (!reply:User-Name) {
update reply {
User-Name := "%{User-Name}"
}
}
}
sites-enabled/default:
post-auth {
...
if (reply:User-Name =~ /^(.+)@(.+)$/) {
# reply contains user@realm
# overwrite the realm with the one in the request
# in case the far end has changed realm. This forces
# routing symmetry
update reply {
User-Name := "%{1}@%{Realm}"
}
}
elsif (reply:User-Name) {
# reply contains bare user, no realm - add one
update reply {
User-Name := "%{reply:User-Name}@%{Realm}"
}
}
else {
# no reply username, use the one from the request
update reply {
User-Name := "%{User-Name}"
}
}
...
}
...ensure you have:
use_tunneled_reply = yes
...in your eap.conf for this to work properly.
If your NAS doesn't send the reply User-Name back in accounting, throw
it away and get a new one.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS
INFORMATICAS...
CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
http://www.uci.cu
http://www.facebook.com/universidad.uci
http://www.flickr.com/photos/universidad_uci
10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS
INFORMATICAS...
CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
http://www.uci.cu
http://www.facebook.com/universidad.uci
http://www.flickr.com/photos/universidad_uci
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
