Accounting Packets and Anonymous Identity

Brian Candler b.candler at pobox.com
Sun Feb 5 12:12:33 CET 2017


On 05/02/2017 04:14, Selahattin Cilek wrote:
> That is what I wanted to know, thank you. The NAS is a Unifi AP and does
> not let me configure EAP behaviour. It is not very successful in RADIUS
> accounting. Since I can't make the NAS behave the way I want, my only
> option is to configure RADIUS to the best of my ability.

I have a test unifi AP (AC Lite) here, and I've set it up with EAP to 
demonstrate.

I think what you're trying to say is: if the user logs in with inner 
username 'bob', but sets the outer identity to 'foobar', then 'foobar' 
is what appears in the accounting packets from the AP.

Sun Feb  5 10:55:08 2017
     Acct-Session-Id = "000001D2-00000000"
     Acct-Status-Type = Start
     Acct-Authentic = RADIUS
     User-Name = "foobar"
     NAS-Identifier = "44d9e7fc6010"
     NAS-Port = 0
     Called-Station-Id = "46-D9-E7-FD-60-10:NSRCauth"
     Calling-Station-Id = "F8-E0-79-39-9E-6C"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     NAS-IP-Address = 100.64.2.1
     Event-Timestamp = "Feb  5 2017 10:55:08 UTC"
     Tmp-String-9 = "ai:"
     Acct-Unique-Session-Id = "ca73e0836069597eb01dd8026bd8ffaa"
     Timestamp = 1486292108

Most clients provide "anonymous" as the outer identity, so that's what 
you're seeing.

It can be argued that using the outer identity in accounting packets is 
reasonable behaviour. After all, the whole reason the client chose 
"anonymous" was so that a network sniffer could not see their real 
identity. If the NAS included the real identity in accounting packets, 
then a sniffer would see it.

But you want some way to tie these accounting packets back to the *real* 
username. As others have already said, the generic RADIUS solution is to 
add a Class attribute to the response, containing the real username (or 
indeed, any other string that you like)

bob     Cleartext-Password := "hello"
         Reply-Message := "Hello, %{User-Name}",
         Class := "bob"

You have to edit sites/inner-tunnel so that these attributes are copied 
from inner to outer. Depending on the freeradius version you have, 
you'll have to uncomment two update sections, or a convert "if (0)" to 
"if (1)". If it's a very old freeradius then you have to set 
"use_tunneled_reply = yes"

Use tcpdump to check that the changes have worked, i.e. the new 
attribute appears in the Access-Accept packet:

11:06:46.165135 IP (tos 0x0, ttl 64, id 18465, offset 0, flags [none], 
proto UDP (17), length 206)
     100.64.2.2.1812 > 100.64.2.1.55465: RADIUS, length: 178
     Access-Accept (2), id: 0x42, Authenticator: 
382e45db7e4da3af6b004d97c7ec81bc
       Vendor-Specific Attribute (26), length: 58, Value: Vendor: 
Microsoft (311)
         Vendor Attribute: 17, Length: 50, Value: 
.$.c.?./7......$n.T5HQ..........D...^..._....:...@
       Vendor-Specific Attribute (26), length: 58, Value: Vendor: 
Microsoft (311)
         Vendor Attribute: 16, Length: 50, Value: 
..8.1)V.C.;..W....}..f....e...#.g.9TJr..<.....&F..
       EAP-Message Attribute (79), length: 6, Value: ..
       Message-Authenticator Attribute (80), length: 18, Value: . 
.... at .U..6...[
       User-Name Attribute (1), length: 8, Value: foobar
*      Class Attribute (25), length: 5, Value: bob**
*      User-Name Attribute (1), length: 5, Value: bob

And then check your accounting packets:

Sun Feb  5 11:06:46 2017
         Acct-Session-Id = "000001D2-00000004"
         Acct-Status-Type = Start
         Acct-Authentic = RADIUS
         User-Name = "foobar"
         NAS-Identifier = "44d9e7fc6010"
         NAS-Port = 0
         Called-Station-Id = "46-D9-E7-FD-60-10:NSRCauth"
         Calling-Station-Id = "F8-E0-79-39-9E-6C"
         NAS-Port-Type = Wireless-802.11
         Connect-Info = "CONNECT 0Mbps 802.11b"
*        Class = 0x626f62**
*        NAS-IP-Address = 100.64.2.1
         Event-Timestamp = "Feb  5 2017 11:06:46 UTC"
         Tmp-String-9 = "ai:"
         Acct-Unique-Session-Id = "6cb560fb2afbeb6d08a819cc2782a824"
         Timestamp = 1486292806

62 6f 62 = "b" "o" "b"

Regards,

Brian.



More information about the Freeradius-Users mailing list