How does CUI works? How does anonymous works? Im lost

Alan DeKok aland at
Wed Jun 24 15:13:14 CEST 2020

On Jun 24, 2020, at 9:01 AM, Daniel Guimaraes Pena <daniel.pena at> wrote:
> I'm facing hard times trying to understand how radius auth Works. Every time I think I understood, a new problem appears and mass with my head.

  It's very complex.  There are many, many, moving parts to RADIUS authentication.

  There's a lot of explanation on our corporate site:

  We're also working on updating the main FreeRADIUS site with lots more documentation.

> Reading files, I saw that inner tunnel username can be different from outer username due to privacy. But, in those cases, outer username must be an anonymous username, otherwise, it might be spoofing.

  Yes.  That's the recommendation.  But not everyone does that.

> What happens in my logs is NOT anonymous. Some devices (always android) send username as a number and for inner-tunnel, the real username. One problem is that this number is different for each user, but it never change, like user01, his number will always be the same for him, but differs from user02. So, I cant use filter username.

  Then you don't have rules which depend on the outer name.  The rules should depend on the inner name.

> So, searching e-mails, I found some update outer.reply stuff (and some other things) to put in post-auth, but had no success.

  What does that mean?  "I tried stuff and it didn't work".

> So, until now, I have this (real usernames):
> User joao.bosco will connect to wifi, so he enables wifi in his device.
> Then, the first request come with this username: User-Name = "321457" (and for him, always the same)
> So, freeradius goes on, create inner tunnel and his real username appears:

  Not quite "create".  It's set up via a TLS connection.  The users machine sends the inner tunnel data to FreeRADIUS.

> (224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
> (224) sql:    --> joao.bosco
> (224) sql: SQL-User-Name set to 'joao.bosco'
> (224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
> (224) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
> (224) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
> Here, it checks for simultaneous sessions. This part is ok.


> Then, freeradius goes on, and things I found in my searches appears to work (outer.reply stuff):
> (224)       update outer.reply {
> (224)         User-Name := &request:User-Name -> 'joao.bosco'
> (224)       } # update outer.reply = noop
> (224)     } # post-auth = ok

   You should probably instead do:

	update outer.state {
		User-Name := &request:User-Name 

  Which means "track the user name across multiple packets".  When you do "update outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may be many packets later.

> This part:
> (225)   post-auth {
> (225)     update {
> (225)       No attributes updated
> (225)     } # update = noop
> I thought put something here to update username... but then: "from where could I pick the right one?" No clue.

  Is that the *outer* post-auth section?

  You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section.  The comments there are for exactly this situation.

  If you don't have those comments, upgrade to the most recent version of the server.  Or, look on GitHub for the default configuration.

> And here comes the Access-Accept:
> (225) Sent Access-Accept Id 128 from to length 0
> (225)   MS-MPPE-Recv-Key = 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593
> (225)   MS-MPPE-Send-Key = 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa
> (225)   EAP-Message = 0x03cc0004
> (225)   Message-Authenticator = 0x00000000000000000000000000000000
> (225)   User-Name = "321457"
> Wrong username again.

  Yes.  Because the debug log shows the User-Name being sent in an earlier Access-Challenge.

> In another e-mail, somebody told me to use CUI. I read all documentation, but I simply did not understand. What it will do? I need to register at radacct the real username...

  Don't bother with CUI.

> It appears that the more a read, the less I understand... I have android and I don't even know how to configure it to create this scenario with 2 different usernames ...

  Most third-party web sites are confusing or wrong.  Much advice about FreeRADIUS is confusing or wrong.

  The FreeRADIUS documentation, wiki, and the corporate site above are correct. And even pretty clear most of the time.

  Alan DeKok.

More information about the Freeradius-Users mailing list