How to Reject Anonymous Identity

Alan DeKok aland at
Fri Nov 2 18:49:55 CET 2018

On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <selahattin_cilek at> wrote:
> So Is the MySQL stored procedure approach is my best option? Is there 
> not a way to check the inner identity against the outer identity?

   Yes.  See raddb/policy.d/filter

   Or, run the server in debug mode as suggested everywhere... you will see it compare inner to outer identity.

> I do care because:
> 1. The Unifi APs that are employed on the site sometimes allow multiple 
> access from laptops to the network despite that fact that 
> "Simultaneous-Use" is set to "1" for every user in the database and I 
> suspect that is somehow connected with the cursed anonymous identity.

  Don't *suspect*.  Run the server in debug mode, and *learn*.

   Trying random things to "fix" a problem is just a waste of time.  You need to *understand* what it's doing, and how the configuration works.  That lets you come up with a solution.

> To 
> illustrate, some users can first log in on their Android phones and then 
> leave the laptop open, which tries to log in again and again and some 
> time later, somehow, are connected to the network. As if that is not 
> enough, I receive no accounting packets for the laptop.

  Simultaneous-Use need accounting packets...

  If you go to the Wiki and search for "Simultaneous-Use", you'll see a FAQ entry which says this.

> There is one 
> particular user that confessed to once having downloaded 150GBs a night 
> from his laptop. He does that almost every night. My goal is to 
> distribute the connectivity and fairly as possible.

  Then fix the NAS so that it sends accounting packets.

  No amount of poking FreeRADIUS will magically have it know what the users doing.  Especially if the NAS isn't sending accounting packets.

> 2. The Unifi APs do not know what is going on the FreeRADIUS server and 
> send back accounting packages that contain lines like "User-Name: 
> anonymous" or "User-Name: some_garbage"; that is why I use the "Class" 
> attribute to circumvent this problem.

  Which is why the default config sends the *inner* username in the Access-Accept.  The NAS is *supposed* to use this User-Name in all accounting packets.

  If you use Class, you can just set "Class" to the inner User-Name.

  Or even better, reject *all* users where the outer User-Name is not the same as the outer User-Name,

  Again, running the server in debug mode and *reading* the output will tell you exactly how to do this.

> I do not want to have to 
> circumvent anything. I want everything to be correct and in place.
> 3. This is a public and *FREE* network. The users do not have the luxury 
> of remaining anonymous. If they want to remain anonymous, they can buy 
> one of those LTE packages.

  99% of what you want to do is documented either in the Wiki or is visible in the debug output.

  It just takes *reading* the debug output.  And not trying random things.  That's a waste of time.

  Alan DeKok.

More information about the Freeradius-Users mailing list