Inner identity in accounting logs

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Thu Feb 19 18:45:03 CET 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arran Cudbard-Bell wrote:
> Alan DeKok wrote:
>> Jonathan Gazeley wrote:
>>> I'm running FreeRADIUS 2.1.1.
>>>
>>> My config block in the post-auth section of the  inner-tunnel server
>>> currently reads:
>>>
>>>        update outer.reply {
>>>                User-Name := "testing-%{User-Name}"
>>>        }
>>>
>>>
>>> FR does indeed appear to be using this block:
>>   Just checking this again...
> 
>>>    expand: testing-%{User-Name} -> testing-jg4461
>>> ++[outer.reply] returns ok
>>>
>>> Authenticating with outer ID "qwerty99" and inner ID "jg4461" gives
>>> output as in the attached log, included to give context. The outer
>>> server is "uobresnet" and the inner one is still called "inner-tunnel".
>>   This works for me in the most recent git tree.  I set "outer.reply"
>> with a different User-Name, and I see it in the final reply.
> 
> Ok, i'll confirm that shortly...

Yep it works:

rad_recv: Access-Request packet from host 139.184.8.16 port 1024, id=90,
length=312
	Framed-MTU = 1480
	NAS-IP-Address = 139.184.8.16
	NAS-Identifier = "hp-e-uscs-dev-h-sw1"
	User-Name = "anonymous at sussex.ac.uk"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-14-38-fb-94-00"
	Calling-Station-Id = "00-1f-5b-33-42-a1"
	Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "1"

[ttls] Got tunneled request
	User-Name = "ac221"
	User-Password = "***"
	FreeRADIUS-Proxied-To = 127.0.0.1

[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
	expand: %{Stripped-User-Name} -> ac221
++[outer.reply] returns noop
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[ttls] Saving response in the cache


++[eap] returns ok
++? if ("%{reply:User-Name}")
	expand: %{reply:User-Name} -> ac221
? Evaluating ("%{reply:User-Name}") -> TRUE
++? if ("%{reply:User-Name}") -> TRUE
++- entering if ("%{reply:User-Name}") {...}
	expand: %{reply:User-Name} -> ac221
+++[request] returns ok
+++- entering policy uidrewrite {...}
++++? if ("%{request:User-Name}")
	expand: %{request:User-Name} -> ac221
? Evaluating ("%{request:User-Name}") -> TRUE
++++? if ("%{request:User-Name}") -> TRUE
++++- entering if ("%{request:User-Name}") {...}
+++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
	expand: %{request:User-Name} -> ac221
? Evaluating ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
- -> TRUE
+++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) ->
TRUE
+++++- entering if ("%{request:User-Name}" =~
/^([^@]*)(@([-[:alnum:].]+))?$/) {...}
	expand: %{1} -> ac221
++++++[request] returns ok
	expand: %{3} ->
	expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk
++++++[request] returns ok
+++++- if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
returns ok
+++++ ... skipping else for request 20: Preceding "if" was taken
++++- if ("%{request:User-Name}") returns ok
+++- policy uidrewrite returns ok
	expand: %{Stripped-User-Name}@%{Stripped-User-Domain} -> ac221 at sussex.ac.uk
+++[reply] returns ok
++- if ("%{reply:User-Name}") returns ok


All good :)


That's with copy_request_to_tunnel = no

and

use_tunneled_reply = no

The complex looking stuff is just the server combining the outer domain
with the inner identity to produce a routeable, non-anonymised  username
for the NAS to use in accounting packets...

Thanks,
Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmdmp8ACgkQcaklux5oVKKQcwCgj8P+xP6PQltZpCpUf4t4DIZy
lLoAn0qmPPGH+eTUg9ielnI5DrAfmvF4
=LsgH
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list