RES: Incorrect username being registered by freeradius
alan.buxey at gmail.com
Tue Jun 23 19:11:53 CEST 2020
> FIRST: for the problem of outer username being different from inner-tunnel.
> Is it possible do something like this?
> IF inner-tunnel-username <> outer-username
> Set outer-username equal to innet-tunnel-username
> Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?
the inner username if different to the outer, is usually for
privacy/anonymous - you dont want to expose the inner username to the
NAS - and doing so may break EAP anyway. this si where you would
probably want to use eg CUI (Chargeable User Identity) in your
Access-Accept packet - and then use the CUI for the accounting packets
> SECOND: for the problema of mac address being registered at radacct table:
first, try looking at the NAS configuration and checking if you can
adjust how it does the Acct update packets. I guess your Acct start
packet is fine, its the account update that is being borked. maybe
related to any mobility option your NAS platform has?
> I will try to create some check at username for account packets like this:
> IF username is equal to calling-station-id(in lowercase and without "-")
> Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)
you could do something like that but its a big hit on the DB . you
already know the CSI from the first successful authentication as this
data so you might want to record that key pair in a simple REDIS/etc
DB instead rather than hitting the live accounting tables.
More information about the Freeradius-Users