Fwd: Re: Problem by Anonymous Identity.
guillermo
gwilliam at uci.cu
Tue Jul 17 00:21:44 CEST 2012
-------- Original Message --------
Subject: Re: Problem by Anonymous Identity.
Date: Mon, 16 Jul 2012 18:07:46 -0400
From: guillermo <gwilliam at uci.cu>
To: freeradius-users at lists.freeradius.org
Thanks Phil for your quick response:
I tell you I did what you recommended, and the response in the access-accept travel with the original user, or with the user authenticating against LDAP, HOWEVER the accounting process is registering with the name specified in the option Anonymous identity 802.1X of my client.
The user is valid and the anonymous identity gwilliam is lolooooo, here is a log of the two processes, the process of authentication and accounting, as you can see in the accounting process that registers the user is specified as anonymous user identity. I hope you understand all this mess.
----------------------------------------
UTENTICATION PROCESS
----------------------------------------
Sending Access-Accept of id 144 to 172.18.3.1 port 1812
User-Name = "gwilliam"
MS-MPPE-Recv-Key = 0x2d7f52eebec0c11ab59987210fb00e3fb2c65de7562bd7f350787496f25295a4
MS-MPPE-Send-Key = 0x20907496a507061a2397283b24d6dbdf50096fb12110ec2d5838132f41244ed8
EAP-Message = 0x034b0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 65.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 58 ID 137 with timestamp +6938
Cleaning up request 59 ID 138 with timestamp +6938
Cleaning up request 60 ID 139 with timestamp +6938
Cleaning up request 61 ID 140 with timestamp +6938
----------------------------------------
ACCOUNTING PROCESS
----------------------------------------
rad_recv: Accounting-Request packet from host 172.18.3.1 port 1812, id=42, length=296
User-Name = "lolooooo"
NAS-Port = 12292
Framed-IP-Address = X.X.X.X
NAS-Identifier = "NN1-Doc-04(S5300)"
Acct-Status-Type = Interim-Update
Acct-Delay-Time = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Session-Id = "NN1-Doc000030000000045d8560000046"
Acct-Authentic = RADIUS
Acct-Session-Time = 16
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = "Jul 16 2012 18:15:07 EDT"
NAS-Port-Type = Ethernet
Calling-Station-Id = "XXXX XXXX XXXX"
NAS-Port-Id = "slot=0;subslot=0;port=3;vlanid=4"
Huawei-IPHost-Addr = "XXXXXXXX XXXXXXXX"
Huawei-Input-Burst-Size = 0
Huawei-Input-Average-Rate = 0
Huawei-Output-Burst-Size = 0
Huawei-Output-Average-Rate = 0
Huawei-Priority = 4294901760
Huawei-Connect-ID = 46
NAS-IP-Address = 172.18.3.1
+- entering group preacct {...}
++[preprocess] returns ok
++? if (reply:User-Name =~ /^(.+)@(.+)$/)
(Attribute reply:User-Name was not found)
++? elsif (reply:User-Name)
? Evaluating (reply:User-Name) -> FALSE
++? elsif (reply:User-Name) -> FALSE
++- entering else else {...}
expand: %{User-Name} -> lolooooo
+++[reply] returns ok
++- else else returns ok
[acct_unique] Hashing 'NAS-Port = 12292,Client-IP-Address = 172.18.3.1,NAS-IP-Address = 172.18.3.1,Acct-Session-Id = "NN1-Doc000030000000045d8560000046",User-Name = "lolooooo"'
[acct_unique] Acct-Unique-Session-ID = "0f129f7be1f9064a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "lolooooo", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.18.3.1/detail-20120716
[detail] expand: %t -> Mon Jul 16 18:10:18 2012
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
[radutmp] expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
[radutmp] expand: %{User-Name} -> lolooooo
++[radutmp] returns ok
[sradutmp] expand: /var/log/freeradius/sradutmp -> /var/log/freeradius/sradutmp
[sradutmp] expand: %{User-Name} -> lolooooo
++[sradutmp] returns ok
[sql] expand: %{User-Name} -> lolooooo
[sql] sql_set_user escaped user --> 'lolooooo'
[sql] expand: %{Acct-Input-Gigawords} -> 0
[sql] expand: %{Acct-Input-Octets} -> 0
[sql] expand: %{Acct-Output-Gigawords} -> 0
[sql] expand: %{Acct-Output-Octets} -> 0
[sql] expand: UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}'<< 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}'<< 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET framedipaddress = '10.3.9.110', acctsessiontime = '16', acctinputoctets = '0'<< 32 | '0', acctoutputoctets = '0'<< 32 | '0' WHERE acctsessionid = 'NN1-Doc000030000000045d8560000046' AND username = 'lolooooo'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++? if (noop)
? Evaluating (noop) -> FALSE
++? if (noop) -> FALSE
[attr_filter.accounting_response] expand: %{User-Name} -> lolooooo
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 42 to 172.18.3.1 port 1812
Finished request 2.
Cleaning up request 2 ID 42 with timestamp +28
Going to the next request
Ready to process requests.
On 07/16/2012 12:19 PM, Phil Mayers wrote:
> On 16/07/12 16:57, guillermo wrote:
>> Hello friends:
>> I wanted to help me solve a problem on my server freeradius criteria. To
>> the point, what I need is to deny the use by clients of the option
>> Anonymous Identity, for in the accounting server I recorded this and not
>
> This is a bad idea. But, if you really want to do this:
>
> authorize {
>
> ...
> if (User-Name =~ /^@/) {
> reject
> }
> ...
>
> }
>
>> the actual user hindering Trace connectnios.
>
> Much better is to fix your RADIUS server so that it puts the correct
> User-Name in the REPLY, and your NAS should (if it complies with the
> RFCs) then use that User-Name in accounting packets.
>
>
> The EAP methods should do this automatically, however you might have
> problems if you are doing EAP-TTLS/PAP or EAP-TTLS/MSCHAP because the
> inner method is not EAP.
>
> We do this:
>
> sites-enabled/inner-tunnel:
>
> post-auth {
> if (!reply:User-Name) {
> update reply {
> User-Name := "%{User-Name}"
> }
> }
> }
>
> sites-enabled/default:
>
> post-auth {
>
> ...
> if (reply:User-Name =~ /^(.+)@(.+)$/) {
> # reply contains user at realm
>
> # overwrite the realm with the one in the request
> # in case the far end has changed realm. This forces
> # routing symmetry
> update reply {
> User-Name := "%{1}@%{Realm}"
> }
> }
>
> elsif (reply:User-Name) {
> # reply contains bare user, no realm - add one
> update reply {
> User-Name := "%{reply:User-Name}@%{Realm}"
> }
> }
>
> else {
> # no reply username, use the one from the request
> update reply {
> User-Name := "%{User-Name}"
> }
> }
> ...
>
> }
>
>
> ...ensure you have:
>
> use_tunneled_reply = yes
>
> ...in your eap.conf for this to work properly.
>
> If your NAS doesn't send the reply User-Name back in accounting, throw
> it away and get a new one.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> 10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS
> INFORMATICAS...
> CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
>
> http://www.uci.cu
> http://www.facebook.com/universidad.uci
> http://www.flickr.com/photos/universidad_uci
10mo. ANIVERSARIO DE LA CREACION DE LA UNIVERSIDAD DE LAS CIENCIAS INFORMATICAS...
CONECTADOS AL FUTURO, CONECTADOS A LA REVOLUCION
http://www.uci.cu
http://www.facebook.com/universidad.uci
http://www.flickr.com/photos/universidad_uci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120716/080b6478/attachment-0001.html>
More information about the Freeradius-Users
mailing list