Problem by Anonymous Identity.

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 16 18:19:50 CEST 2012


On 16/07/12 16:57, guillermo wrote:
> Hello friends:
> I wanted to help me solve a problem on my server freeradius criteria. To
> the point, what I need is to deny the use by clients of the option
> Anonymous Identity, for in the accounting server I recorded this and not

This is a bad idea. But, if you really want to do this:

authorize {

    ...
    if (User-Name =~ /^@/) {
        reject
    }
    ...

}

> the actual user hindering Trace connections.

Much better is to fix your RADIUS server so that it puts the correct 
User-Name in the REPLY, and your NAS should (if it complies with the 
RFCs) then use that User-Name in accounting packets.


The EAP methods should do this automatically, however you might have 
problems if you are doing EAP-TTLS/PAP or EAP-TTLS/MSCHAP because the 
inner method is not EAP.

We do this:

sites-enabled/inner-tunnel:

post-auth {
   if (!reply:User-Name) {
     update reply {
       User-Name := "%{User-Name}"
     }
   }
}

sites-enabled/default:

post-auth {

   ...
   if (reply:User-Name =~ /^(.+)@(.+)$/) {
     # reply contains user at realm

     # overwrite the realm with the one in the request
     # in case the far end has changed realm. This forces
     # routing symmetry
     update reply {
       User-Name := "%{1}@%{Realm}"
     }
   }

   elsif (reply:User-Name) {
     # reply contains bare user, no realm - add one
     update reply {
       User-Name := "%{reply:User-Name}@%{Realm}"
     }
   }

   else {
     # no reply username, use the one from the request
     update reply {
       User-Name := "%{User-Name}"
     }
   }
   ...

}


...ensure you have:

   use_tunneled_reply = yes

...in your eap.conf for this to work properly.

If your NAS doesn't send the reply User-Name back in accounting, throw 
it away and get a new one.


More information about the Freeradius-Users mailing list