Re: Accounting and anonymous outer identity in EAP-TTLS
Shouldn't the := operator in user replace the User-Name = anonymous, or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database? Yes, and it shouldn't matter that the users are in SQL. I suspect that something else is adding the anonymous username in the reply. The EAP module does this, but it checks to see if a User-name already exists. If so, it doesn't copy it. I changed User-Name := `testtest`, in users and this is what I got: Sending Access-Accept of id 88 to 217.16.68.220:2640 User-Name := testtest User-Name := testtest Idle-Timeout := 300 Which, I guess, means it's the files module that adds the User-Name twice.. or not?? Anyway, the Accounting-Request I got still had User-Name = anonymous, so I'll need to solve that first I guess.. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and anonymous outer identity in EAP-TTLS
I've been searching the mail list about this, but haven't found a
definitive sollution.
The scenario, I'm using WPA2 access points, they are setup to authorize
users against my freeradius server. The freeradius server is setup to
use a MySQL database, and eap-ttls is configured (and that works ok).
My Windows clients connect with the SecureW2 (1) supplicant.
The problem is that radius accounting requests have the User-Name = anonymous
attribute/value, so I can't separate accounting from different users.
I've tried to replace the User-Name in the Access-Accept reply, with
this configuration:
- I have this in the users file:
DEFAULT FreeradiusProxiedTo == 127.0.0.1
User-Name := %{User-Name},
FallThrough = yes
BTW I've tried User-Name = %{User-Name} too.
And this is the authorize section in radiusd.conf:
authorize {
preprocess
chap
mschap
suffix
eap
files
sql
}
The problem is that the Access-Accept reply from freeradius has two
User-Name AV pairs, like this:
User-Name := anonymous
User-Name := damjan
And the accounting packet has the User-Name = anonymous AV pair.
Shouldn't the := operator in user replace the User-Name = anonymous,
or it doesn't because files is before sql in the authorize section, and
my users are in the MySQL database?... and if I put sql before files,
that DEFAULT entry will not be triggered, am I right?
Can I just remove UserName from the authorize_reply_query SELECT in
sql.conf? Note however that the same radius instance is used for non-EAP
clients too, those clients authenticate through chillispot and use plain
and simple PAP.
My platform is:
slackware linux 10.1
openssl-0.9.7e
freeradius-1.0.2 (I'd update if that's a sollution but this system has
several radius instances (ports) in production use)
(1) http://www.securew2.com/
--
damjan | дамјан
This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and anonymous outer identity in EAP-TTLS
Damjan [EMAIL PROTECTED] wrote: Shouldn't the := operator in user replace the User-Name = anonymous, or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database? Yes, and it shouldn't matter that the users are in SQL. I suspect that something else is adding the anonymous username in the reply. The EAP module does this, but it checks to see if a User-name already exists. If so, it doesn't copy it. I would say read the debug log for one of these sessions. It won't tell you when it adds the two usernames, but it will tell you which modules run, and what they do. You can use that information to walk through the configuration by hand, to see what's going on, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
