Re: EAP and Accounting
--On Thursday, February 10, 2011 08:25:13 -0500 David Peterson dav...@wirelessconnections.net wrote: I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? Configure RADIUS to send the inner User-Name b...@wimax.com back in the outer Access-Accept. Your NAS should then use this User-Name when Accounting (if it doesn't, you need to refer to your NAS manufacturer). Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and Accounting
I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS Accounting Bug
I didn't see anything about it in the list of changes, but I was wondering if this issue has been fixed in any recent releases ( 1.1.5) Quick summary of the problem is that the := operator wouldn't replace the current anonymous outer identity for the User-Name attribute, but rather would just add another User-Name attribute. All output then of course used the anonymous identity, which isn't helpful in the least for radius accounting, or user tracking. -Original Message- From: freeradius-users-bounces+jhubert=med- [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Sam Schultz Sent: Wednesday, March 14, 2007 7:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: RE : EAP-TTLS outer identity accounting An entry like: DEFAULT Realm == test, Autz-Type := sql-test User-Name = %{User-Name} does add a new User-Name attribute with the proper value, but I need a way to delete the anonymous@ entry still, because I Access- Accepts like this: Sending Access-Accept of id 134 to 192.168.0.5 port 5190 User-Name := [EMAIL PROTECTED] User-Name := [EMAIL PROTECTED] Followed by Accounting-Requests that still contain the anonymous entry, so it is still using the oldest (first?) User-Name attribute. Is there any way at all to REMOVE already set attributes so they aren't re-sent to the NAS? For that matter, shouldn't the use_tunneled_reply = yes in the ttls module configuration have kept me from having this problem? I also have copy_request_to_tunnel set to yes, but I doubt that should be causing a problem like this. On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz [EMAIL PROTECTED] wrote: On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur [EMAIL PROTECTED] wrote: -Message d'origine- De : freeradius-users- [EMAIL PROTECTED] radius.org [mailto:freeradius-users- [EMAIL PROTECTED] sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14 mars 2007 17:13 À : freeradius-users@lists.freeradius.org Objet : Re: EAP-TTLS outer identity accounting On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok [EMAIL PROTECTED] wrote: Sam Schultz wrote: This should be solvable by adding something like 'User-Name = %{User-Name}' to the DEFAULT entries in the users file, correct? Yes. One of my users file DEFAULT entries look like this: DEFAULT Realm == test, Autz-Type := sql-test, User- Name = %u However, FreeRADIUS tells me this: Error: Invalid operator for item User-Name: reverting to '==' I assume I'm not supposed to forcibly change User-Name, so what attribute would I set to return the correct username to the NAS? I know there is a run-time variable %(reply:User-Name}, would I need to somehow update it with the correct value for User- Name instead? Yes, by simply adding the User-Name = XXX to the reply items (that is to say not on the first line). Try something like this: This didn't make much sense at first, but I think I understand it now. What you're saying is that the first line is only for check items, which is why I couldn't set User-Name there. The second line and beyond then are for, what? Reply items ONLY, or check reply items? Is this documented anywhere? I just did a quick check through the freeradius doc directory, and only found a rlm_fastusers document which didn't have anything to say about format restrictions. DEFAULT Realm == test, Autz-Type := sql-test User-Name=`%{User-Name}` HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió: Yes. It's possible. Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no Hello, I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Angel L. Mateo [EMAIL PROTECTED] wrote: I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. Because that's the only user name that the NAS sees. Use the Class attribute to set a per-session ID for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and accounting
Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Hi, with which AP has you this values. Because with my dlink DWL-2000+, EAP work but i'm not all this infos :( Franck Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.linuxpourtous.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
Yes. It's possible. Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Angel L. Mateo Sent: Friday, October 20, 2006 5:12 AM To: FreeRadius users mailing list Subject: EAP and accounting Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto make eap-peap accounting
Hello all How to make freeradius support eap-peap accounting Thanks you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html