Intel PEAP client "Roaming Identity"
Hi We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named "Roaming Identity" which as default was set to "anonymous@myabc.com". The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as anonymous@myabc.com instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string? Many Thanks Ben Thompson
On Thursday 15 September 2005 12:25, Ben Thompson wrote:
Hi
We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named "Roaming Identity" which as default was set to "anonymous@myabc.com". The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as anonymous@myabc.com instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string?
I couldn't think of a good way to deal with this on our site. I ended up putting the roaming identity in the users files to reject it. The owner of the device has to reconfigure their supplicant to fix the roaming identity. This can probably be handled a bit more elegantly and user friendly in radiusd.conf but I haven't really had time to work on it. Zoltan
Ben Thompson <bt4@york.ac.uk> wrote:
Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string?
Configure peap{} & ttls{} with "use_tunneled_reply = yes". Add the following to the top of the "users" file: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = "%{User-Name}", Fall-Through = Yes This will send the inner tunnel user name back to the AP, which is *supposed* to then use it in accounting packets. Alan DeKok.
On Thu, 2005-09-15 at 13:54 -0400, Alan DeKok wrote:
Ben Thompson <bt4@york.ac.uk> wrote:
Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string?
Configure peap{} & ttls{} with "use_tunneled_reply = yes".
Add the following to the top of the "users" file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = "%{User-Name}", Fall-Through = Yes
This will send the inner tunnel user name back to the AP, which is *supposed* to then use it in accounting packets.
Alan DeKok.
Thanks Alan, that's done the trick. Ben
participants (3)
-
Alan DeKok -
Ben Thompson -
Zoltan A. Ori