Stefan Winter <stefan.winter@restena.lu> wrote:
since quite a while, there's an implementation of Chargeable-User-Identity in the works by people of eduroam R&D (inside the GEANT3 project).
Attached is the most recent implementation. We hope that it is worthy of inclusion into the mainline release now: it's a small set of new files (modules/cui, SQL schema definitions) and a few stand-in replacements that augment some shipped files (policy.conf, sites-available/*).
From my perspective, Chargeable-User-Identity is something that should
be logged with the 'custom' SQL logging rules being used. Slipping it into a separate table, somehow feels weird; I guess that's what makes me a packet-pusher and someone else a database guru :) Some passing comments, before I show what I do for CUI: * I thought Client-IP-Address was deprecated and we all should be using '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' * section 2.1 of RFC 4372 lets you be awkward about mis-matching CUI's and offers you the option to Reject :) * not too sure about the outer.request bits. It seems cleaner to get the inner layer to return just the User-Name to the outer layer, the outer layer can then add the CUI bits (as if it was a non-EAP request) and trim the User-Name in the reply packet before it sends out the Access-Accept * I never thought to add Operator-Name as part of the hash key for CUI, noted for myself, ta * not sure about even having cui_require_operator_name as the user's realm would tell you who you need to pester surely? My approach is a bit more softly-softly (although I will admit it has not had any field testing), most of the brains is here in policy.conf: ---- cui { if (Realm == "%{config:local.MY.realm}") { update control { # md5(cui_hash_key + user@realm) Chargeable-User-Identity := "%{md5:%{config:local.MY.cui_hash_key}%{tolower:%{%{reply:User-Name}:-%{request:User-Name}}}}" } if ((request:Chargeable-User-Identity)) { update reply { Chargeable-User-Identity := "%{control:Chargeable-User-Identity}" } if (request:Chargeable-User-Identity != "\\000") { if (request:Chargeable-User-Identity != reply:Chargeable-User-Identity) { update reply { Reply-Message := "CUI Mismatch" } reject } } } else { update request { Chargeable-User-Identity := "%{control:Chargeable-User-Identity}" } } ok } noop } ---- The for internal clients I have something like[1]: ---- post-auth { update reply { Operator-Name := "1%{config:local.MY.realm}" } cui [snipped policy] [snipped logging] } accounting { [snipped logging] cui [snipped logging] } pre-proxy { if (Packet-Type != "Accounting-Request") { update proxy-request { Service-Type := Authenticate-Only Chargeable-User-Identity := "\\000" } } update proxy-request { Operator-Name := "1%{config:local.MY.realm}" NAS-IP-Address := "%{config:local.MY.addr.lanwarden.v4}" NAS-IPv6-Address := "%{config:local.MY.addr.lanwarden.v6}" } [snipped logging] } ---- For the roamers: ---- post-auth { cui [snipped policy] [snipped logging] } ---- For the SQL logging, it is just an extra column on my table: ---- CREATE TABLE dot1x_auth ( id bigserial NOT NULL, realm character varying(253), nas_ip_address inet, nas_port_type character varying(32), nas_port_id character varying(64), calling_station_id character varying(64) NOT NULL, called_station_id character varying(64), packet_src_address inet NOT NULL, nas_identifier character varying(253), reply_message character varying(253), module_message character varying(253), eap_type character varying(16), auth_type character varying(16), "timestamp" timestamp with time zone NOT NULL, packet_type character varying(32) NOT NULL, tunnel_private_group_id character varying(32), user_name character varying(253) NOT NULL, inet_client_addr inet NOT NULL DEFAULT inet_client_addr(), nas_port integer, nas_ipv6_address inet, chargeable_user_identity character varying(253), <------ operator_name character varying(253), <------ CONSTRAINT dot1x_auth_id PRIMARY KEY (id) ) ---- Cheers [1] snipped irrelevant bits of course, if anyone wants our full FreeRADIUS config dump to see this in real life then do ask offlist -- Alexander Clouter .sigmonster says: BOFH excuse #120: we just switched to FDDI.