Re: EAP and Accounting
--On Thursday, February 10, 2011 08:25:13 -0500 David Peterson dav...@wirelessconnections.net wrote: I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? Configure RADIUS to send the inner User-Name b...@wimax.com back in the outer Access-Accept. Your NAS should then use this User-Name when Accounting (if it doesn't, you need to refer to your NAS manufacturer). Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and Accounting
I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with b...@wimax.com manually in the database are there other methods for achieving this? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS Accounting Bug
I didn't see anything about it in the list of changes, but I was wondering
if this issue has been fixed in any recent releases ( 1.1.5)
Quick summary of the problem is that the := operator wouldn't replace
the current anonymous outer identity for the User-Name attribute, but
rather would just add another User-Name attribute. All output then of
course used the anonymous identity, which isn't helpful in the least
for radius accounting, or user tracking.
-Original Message-
From: freeradius-users-bounces+jhubert=med-
[EMAIL PROTECTED] [mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
Sam Schultz
Sent: Wednesday, March 14, 2007 7:14 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: RE : EAP-TTLS outer identity accounting
An entry like:
DEFAULT Realm == test, Autz-Type := sql-test
User-Name = %{User-Name}
does add a new User-Name attribute with the proper value, but I need a
way to delete the anonymous@ entry still, because I Access- Accepts
like
this:
Sending Access-Accept of id 134 to 192.168.0.5 port 5190
User-Name := [EMAIL PROTECTED]
User-Name := [EMAIL PROTECTED]
Followed by Accounting-Requests that still contain the anonymous
entry, so it is still using the oldest (first?) User-Name attribute.
Is
there any way at all to REMOVE already set attributes so they aren't
re-sent to the NAS?
For that matter, shouldn't the use_tunneled_reply = yes in the ttls
module configuration have kept me from having this problem?
I also have copy_request_to_tunnel set to yes, but I doubt that should
be causing a problem like this.
On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz
[EMAIL PROTECTED] wrote:
On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur
[EMAIL PROTECTED] wrote:
-Message d'origine-
De :
freeradius-users-
[EMAIL PROTECTED]
radius.org
[mailto:freeradius-users-
[EMAIL PROTECTED]
sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14
mars 2007 17:13 À : freeradius-users@lists.freeradius.org
Objet : Re: EAP-TTLS outer identity accounting
On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
[EMAIL PROTECTED] wrote:
Sam Schultz wrote:
This should be solvable by adding something like 'User-Name =
%{User-Name}' to the DEFAULT entries in
the
users
file,
correct?
Yes.
One of my users file DEFAULT entries look like this:
DEFAULT Realm == test, Autz-Type := sql-test,
User-
Name =
%u
However, FreeRADIUS tells me this:
Error: Invalid operator for item User-Name: reverting to
'=='
I assume I'm not supposed to forcibly change User-Name, so
what
attribute would I set to return the correct username to
the
NAS?
I know there is a run-time variable %(reply:User-Name},
would I
need to somehow update it with the correct value for User-
Name
instead?
Yes, by simply adding the User-Name = XXX to the reply items
(that
is to say
not on the first line). Try something like this:
This didn't make much sense at first, but I think I
understand it
now.
What you're saying is that the first line is only for check
items,
which is why I couldn't set User-Name there. The second line
and
beyond
then are for, what? Reply items ONLY, or check reply items?
Is
this
documented anywhere? I just did a quick check through the freeradius
doc directory, and only found a rlm_fastusers document which
didn't
have anything to say about format restrictions.
DEFAULT Realm == test, Autz-Type := sql-test
User-Name=`%{User-Name}`
HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió:
Yes. It's possible.
Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
Hello,
I have this attribute set to yes. With this, the reply my freeradius
server sent to the client is based in the user inside the EAP tunnel,
but the accounting logs are still registered with username anonymous
instead the username inside the tunneled request.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Angel L. Mateo [EMAIL PROTECTED] wrote: I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. Because that's the only user name that the NAS sees. Use the Class attribute to set a per-session ID for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and accounting
Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Hi, with which AP has you this values. Because with my dlink DWL-2000+, EAP work but i'm not all this infos :( Franck Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-MMDD: Fri Oct 20 11:07:59 2006 User-Name = username@realm NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = 172.18.201.166 Acct-Status-Type = Start Acct-Session-Id = 15D003FA Tunnel-Client-Endpoint:0 = 172.18.201.166 Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = nas IP address NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = client ip address Acct-Unique-Session-Id = e43a1da655ba3ef3 Stripped-User-Name = username Realm = realm Timestamp = 1161335279 - auth-detail-MMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = username@realm User-Password = 190482 NAS-Identifier = nas id NAS-IP-Address = nas ip Proxy-State = 0x323433 Client-IP-Address = client ip But with EAP the files has the same form, but username is always anonymous, because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- http://www.linuxpourtous.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
Yes. It's possible.
Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Angel L. Mateo
Sent: Friday, October 20, 2006 5:12 AM
To: FreeRadius users mailing list
Subject: EAP and accounting
Hello,
I am developing my freeradius server (version 1.1.2) to use it in a WPA
wireless environment with EAP authentication.
Until this moment (without EAP) the accounting information collected by
freeradius is in the form:
- detail-MMDD:
Fri Oct 20 11:07:59 2006
User-Name = username@realm
NAS-Port = 2161
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = X.X.X.X
Class = 0x69636172756d
Calling-Station-Id = 172.18.201.166
Acct-Status-Type = Start
Acct-Session-Id = 15D003FA
Tunnel-Client-Endpoint:0 = 172.18.201.166
Acct-Authentic = RADIUS
Acct-Delay-Time = 0
NAS-IP-Address = nas IP address
NAS-Port-Type = Virtual
Proxy-State = 0x323034
Client-IP-Address = client ip address
Acct-Unique-Session-Id = e43a1da655ba3ef3
Stripped-User-Name = username
Realm = realm
Timestamp = 1161335279
- auth-detail-MMDD:
Packet-Type = Access-Request
Fri Oct 20 11:10:14 2006
User-Name = username@realm
User-Password = 190482
NAS-Identifier = nas id
NAS-IP-Address = nas ip
Proxy-State = 0x323433
Client-IP-Address = client ip
But with EAP the files has the same form, but username is always
anonymous, because the real authentication is made through the tunnel
connection.
I want to know if there is any way to configure radius to log the real
username instead of anonymous in the log files.
Thanks.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto make eap-peap accounting
Hello all How to make freeradius support eap-peap accounting Thanks you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
