EAP-TTLS Accounting Bug

Fri May 18 05:12:04 CEST 2007

I didn't see anything about it in the list of changes, but I was wondering
if this issue has been fixed in any recent releases ( > 1.1.5)

Quick summary of the problem is that the := operator wouldn't replace
the current anonymous outer identity for the User-Name attribute, but
rather would just add another User-Name attribute. All output then of
course used the anonymous identity, which isn't helpful in the least
for radius accounting, or user tracking.

> -----Original Message-----
> From: freeradius-users-bounces+jhubert=med-
> web.com at lists.freeradius.org [mailto:freeradius-users-
> bounces+jhubert=med-web.com at lists.freeradius.org] On Behalf Of
> Sam Schultz
> Sent: Wednesday, March 14, 2007 7:14 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: RE : EAP-TTLS outer identity & accounting
>
> An entry like:
>
> DEFAULT         Realm == "test", Autz-Type := sql-test
>                 User-Name = "%{User-Name}"
>
> does add a new User-Name attribute with the proper value, but I need a
> way to delete the anonymous@ entry still, because I Access- Accepts
> like
> this:
>
> Sending Access-Accept of id 134 to 192.168.0.5 port 5190
>         User-Name := "anonymous at test"
>         User-Name := "test at test"
>
> Followed by Accounting-Requests that still contain the anonymous
> entry, so it is still using the oldest (first?) User-Name attribute.
> Is
> there any way at all to REMOVE already set attributes so they aren't
> re-sent to the NAS?
>
> For that matter, shouldn't the "use_tunneled_reply = yes" in the ttls
> module configuration have kept me from having this problem?
>
> I also have copy_request_to_tunnel set to yes, but I doubt that should
> be causing a problem like this.
>
> On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz
> <segfault90 at hushmail.com> wrote:
> >On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur
> ><Thibault.LeMeur at supelec.fr> wrote:
> >>> -----Message d'origine-----
> >>> De :
> >>> freeradius-users-
> bounces+thibault.lemeur=supelec.fr at lists.free
> >>> radius.org
> >>> [mailto:freeradius-users-
> bounces+thibault.lemeur=supelec.fr at li
> >>> sts.freeradius.org] De la part de Sam Schultz Envoyé : mercredi 14
> >>> mars 2007 17:13 À : freeradius-users at lists.freeradius.org
> >>> Objet : Re: EAP-TTLS outer identity & accounting
> >>>
> >>>
> >>>
> >>>
> >>> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok
> >>> <aland at deployingradius.com> wrote:
> >>> >Sam Schultz wrote:
> >>> >>
> >>> >> This should be solvable by adding something like 'User-Name =
> >>> >> %{User-Name}' to the DEFAULT entries in
> the
> >>users
> >>> >file,
> >>> >> correct?
> >>> >
> >>> >  Yes.
> >>>
> >>> One of my users file DEFAULT entries look like this:
> >>>
> >>> DEFAULT         Realm == "test", Autz-Type := sql-test,
> User-
> >>Name =
> >>> "%u"
> >>>
> >>> However, FreeRADIUS tells me this:
> >>>
> >>> Error: Invalid operator for item User-Name: reverting to
> '=='
> >>>
> >>> I assume I'm not supposed to forcibly change User-Name, so
> what
> >>> attribute would I set to return the correct username to
> the
> >NAS?
> >>
> >>> I know there is a run-time variable %(reply:User-Name},
> would I
> >>> need to somehow update it with the correct value for User-
> Name
> >>> instead?
> >>
> >>Yes, by simply adding the User-Name = XXX to the reply items
> >(that
> >>is to say
> >>not on the first line). Try something like this:
> >
> >This didn't make much sense at first, but I think I
> understand it
> >now.
> >What you're saying is that the first line is only for check
> items,
> >which is why I couldn't set User-Name there. The second line
> and
> >beyond
> >then are for, what? Reply items ONLY, or check & reply items?
> Is
> >this
> >documented anywhere? I just did a quick check through the freeradius
> >doc directory, and only found a rlm_fastusers document which
> didn't
> >have anything to say about format restrictions.
> >
> >>
> >>DEFAULT         Realm == "test", Autz-Type := sql-test
> >>    User-Name=`%{User-Name}`
> >>
> >>HTH,
> >>Thibault