Hello Berndt -
There are a couple of ways of doing this, with the simplest being not changing anything. If you don't change anything, things will still work correctly - there will just be an additional SQL database lookup.
Alternatively you can add a line to the hook so that it only changes the username of "anonymous" for accounting.
You can add something like this to the hook (and test it of course).
else
{
if (${$p}->code() eq 'Accounting-Request' )
{
# only change the User-Name if it is 'anonymous'
my $user = ${$p}->getUserName;
return unless $user eq 'anonymous';
.....A third option is to use the Class attribute and add a Handler for accounting for TTLS only. You will need to do some tests with your equipment to see whether or not the Class attribute is returned in the accounting requests.
regards
Hugh
On 07/01/2004, at 1:52 AM, Sevcik Berndt wrote:
I use TTLS for authentication. In the SQL database the User is always shown
as anonymous. I found out that the problem can be solved with the following
lines in the configuration (goodies/eap_ttls.cfg):
PreProcessingHook file:"goodies/eap_anon_hook.pl"
PostAuthHook file:"goodies/eap_anon_hook.pl"
There these lines are in the Handler clause. When you look at my
configuration I use one Handler four both PEAP and TTLS configuration. But
PEAP works without this patch. How can I only apply this patch to TTLS
Accounting?
AuthPort 1645 AcctPort 1646
<Client DEFAULT> Secret mysecret DupInterval 0 </Client>
<ClientListSQL> DBSource dbi:mysql:radius DBUsername root DBAuth letmein </ClientListSQL>
<AuthBy SQL> Identifier SQLAccounting AuthSelect DBSource dbi:mysql:radius DBUsername root DBAuth letmein AccountingTable ACCOUNTING AcctColumnDef USERNAME,User-Name AcctColumnDef TIME_STAMP,Timestamp,integer AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
#AcctFailedLogFileName %D/missedaccounting </AuthBy>
<AuthBy FILE> Identifier OUTERAuthentication Filename %D/users EAPType PEAP,TTLS EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 #EAPTLS_DHFile %D/certificates/cert/dh #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem AutoMPPEKeys SSLeayTrace 4 </AuthBy>
<Handler TunnelledByPEAP=1> RewriteUsername s/(.*)\\(.*)/$2/ <AuthBy LDAP2> Identifier LDAPPEAPAuthentication RcryptKey whatever Host 10.2.4.21 AuthDN cn=admin, dc=tgm, dc=ac, dc=at AuthPassword sUpp.rT BaseDN ou=People,ou=admin,dc=tgm,dc=ac,dc=at UsernameAttr uid PasswordAttr profilePath AuthAttrDef radiusAuthType,GENERIC,check
# You can enable debugging of the Net::LDAP # module with this: # Debug 255
EAPType MSCHAP-V2 </AuthBy> </Handler>
<Handler TunnelledByTTLS=1> RewriteUsername s/(.*)\\(.*)/$2/ <AuthBy LDAP2> Identifier LDAPTTLSAuthentication RcryptKey whatever Host 10.2.4.21 AuthDN cn=admin, dc=tgm, dc=ac, dc=at AuthPassword sUpp.rT BaseDN ou=People,ou=admin,dc=tgm,dc=ac,dc=at UsernameAttr uid PasswordAttr scriptPath # AuthAttrDef radiusAuthType,GENERIC,check
# You can enable debugging of the Net::LDAP # module with this: # Debug 255
# EAPType MSCHAP-V2 </AuthBy> </Handler>
<Handler Request-Type = Accounting-Request> AuthBy SQLAccounting </Handler>
<Handler> # AuthByPolicy ContinueWhileReject AuthBy OUTERAuthentication # AuthBy PEAPAuthentication </Handler>
Thanks Berndt
----------------------------------------- TGM - Die Schule der Technik IT-Service A-1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -----------------------------------------
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
