User-Name missing realm in Access-Accept
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Wed Aug 12 17:41:58 CEST 2015
Hi,
> FreeRADIUS Version 2.1.12
first advice - upgrade to at least 2.2.9
> It has been brought to my attention that my FreeRadius servers are
> responding to proxied requests from eduroam without the suffix portion
> of the user name. This is causing accounting issues for other
> institutions.
yep.... but the code you have added would do something worse and expose
the real inner user-name of the user, therefore totally destroying the
point of anonymous outerid and revealing who they really are to the
site they are at. breaking privacy/anonymity. IF their outer-id already
has their details eg user1 at realm.com - then you can reply with that...but
if their outerid is just annymous at realm.com or just @realm.com then
you need to reply with that in the outer-id
> I see the Access-Accept messages going out, without the suffix:
>
> Sending Access-Accept of id 62 to 142.231.112.1 port 53243
> MS-MPPE-Recv-Key =
> 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47
> MS-MPPE-Send-Key =
> 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd
> EAP-Message = 0x030b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "user1"
> Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338
probably because in the inner-id they only have their username without the
realm anyway? update the reply in outer-id post-auth - looking at
original request there...and ensuring you dont break what they as users chose to
have configured
alan
More information about the Freeradius-Users
mailing list