Accounting and anonymous outer identity in EAP-TTLS
I've been searching the mail list about this, but haven't found a definitive sollution. The scenario, I'm using WPA2 access points, they are setup to authorize users against my freeradius server. The freeradius server is setup to use a MySQL database, and eap-ttls is configured (and that works ok). My Windows clients connect with the SecureW2 (1) supplicant. The problem is that radius accounting requests have the User-Name = anonymous attribute/value, so I can't separate accounting from different users. I've tried to replace the User-Name in the Access-Accept reply, with this configuration: - I have this in the "users" file: DEFAULT FreeradiusProxiedTo == 127.0.0.1 User-Name := "%{User-Name}", FallThrough = yes BTW I've tried User-Name = "%{User-Name} too. And this is the authorize section in radiusd.conf: authorize { preprocess chap mschap suffix eap files sql } The problem is that the Access-Accept reply from freeradius has two User-Name AV pairs, like this: User-Name := "anonymous" User-Name := "damjan" And the accounting packet has the User-Name = "anonymous" AV pair. Shouldn't the := operator in "user" replace the User-Name = "anonymous", or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database?... and if I put sql before files, that DEFAULT entry will not be triggered, am I right? Can I just remove UserName from the "authorize_reply_query" SELECT in sql.conf? Note however that the same radius instance is used for non-EAP clients too, those clients authenticate through chillispot and use plain and simple PAP. My platform is: slackware linux 10.1 openssl-0.9.7e freeradius-1.0.2 (I'd update if that's a sollution but this system has several radius instances (ports) in production use) (1) http://www.securew2.com/ -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
Damjan <gdamjan@mail.net.mk> wrote:
Shouldn't the := operator in "user" replace the User-Name = "anonymous", or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database?
Yes, and it shouldn't matter that the users are in SQL. I suspect that something else is adding the "anonymous" username in the reply. The EAP module does this, but it checks to see if a User-name already exists. If so, it doesn't copy it. I would say read the debug log for one of these sessions. It won't tell you when it adds the two usernames, but it will tell you which modules run, and what they do. You can use that information to walk through the configuration by hand, to see what's going on, and why. Alan DeKok.
Shouldn't the := operator in "user" replace the User-Name = "anonymous", or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database?
Yes, and it shouldn't matter that the users are in SQL.
I suspect that something else is adding the "anonymous" username in the reply. The EAP module does this, but it checks to see if a User-name already exists. If so, it doesn't copy it.
I changed User-Name := `testtest`, in "users" and this is what I got: Sending Access-Accept of id 88 to 217.16.68.220:2640 User-Name := "testtest" User-Name := "testtest" Idle-Timeout := 300 Which, I guess, means it's the files module that adds the User-Name twice.. or not?? Anyway, the Accounting-Request I got still had User-Name = "anonymous", so I'll need to solve that first I guess.. -- damjan | дамјан This is my jabber ID --> damjan@bagra.net.mk <-- not my mail address!!!
participants (2)
-
Alan DeKok -
Damjan