How to Reject Anonymous Identity

Alan Buxey alan.buxey at
Fri Nov 2 19:37:53 CET 2018


You are authenticating them , so you see their inner username and thus what
ever they have in their outerid is of no consequence.

Let them use whatever in their outerid as it's the innerid that matters and
what you use for policies

For simultaneous use checks the server, by default, will be using
accounting info , this you need to send info back to the NAS that can be
used in the accounting sessions and policy designed around

But you say this is a free network... What is wrong with a user having a
phone and a laptop? It's pretty common these days for a user to have 2 (or
more!) devices *and* user experience/expectations is to be able to use them
all (in fact, they may have to, doing eg something on their phone but then
having to get their laptop out to complete the task )


On Fri, 2 Nov 2018, 17:50 Alan DeKok <aland at wrote:

> On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <selahattin_cilek at>
> wrote:
> > So Is the MySQL stored procedure approach is my best option? Is there
> > not a way to check the inner identity against the outer identity?
>    Yes.  See raddb/policy.d/filter
>    Or, run the server in debug mode as suggested everywhere... you will
> see it compare inner to outer identity.
> > I do care because:
> > 1. The Unifi APs that are employed on the site sometimes allow multiple
> > access from laptops to the network despite that fact that
> > "Simultaneous-Use" is set to "1" for every user in the database and I
> > suspect that is somehow connected with the cursed anonymous identity.
>   Don't *suspect*.  Run the server in debug mode, and *learn*.
>    Trying random things to "fix" a problem is just a waste of time.  You
> need to *understand* what it's doing, and how the configuration works.
> That lets you come up with a solution.
> > To
> > illustrate, some users can first log in on their Android phones and then
> > leave the laptop open, which tries to log in again and again and some
> > time later, somehow, are connected to the network. As if that is not
> > enough, I receive no accounting packets for the laptop.
>   Simultaneous-Use need accounting packets...
>   If you go to the Wiki and search for "Simultaneous-Use", you'll see a
> FAQ entry which says this.
> > There is one
> > particular user that confessed to once having downloaded 150GBs a night
> > from his laptop. He does that almost every night. My goal is to
> > distribute the connectivity and fairly as possible.
>   Then fix the NAS so that it sends accounting packets.
>   No amount of poking FreeRADIUS will magically have it know what the
> users doing.  Especially if the NAS isn't sending accounting packets.
> > 2. The Unifi APs do not know what is going on the FreeRADIUS server and
> > send back accounting packages that contain lines like "User-Name:
> > anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
> > attribute to circumvent this problem.
>   Which is why the default config sends the *inner* username in the
> Access-Accept.  The NAS is *supposed* to use this User-Name in all
> accounting packets.
>   If you use Class, you can just set "Class" to the inner User-Name.
>   Or even better, reject *all* users where the outer User-Name is not the
> same as the outer User-Name,
>   Again, running the server in debug mode and *reading* the output will
> tell you exactly how to do this.
> > I do not want to have to
> > circumvent anything. I want everything to be correct and in place.
> > 3. This is a public and *FREE* network. The users do not have the luxury
> > of remaining anonymous. If they want to remain anonymous, they can buy
> > one of those LTE packages.
>   99% of what you want to do is documented either in the Wiki or is
> visible in the debug output.
>   It just takes *reading* the debug output.  And not trying random
> things.  That's a waste of time.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list