Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-YYYYMMDD: Fri Oct 20 11:07:59 2006 User-Name = "<username>@<realm>" NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = "172.18.201.166" Acct-Status-Type = Start Acct-Session-Id = "15D003FA" Tunnel-Client-Endpoint:0 = "172.18.201.166" Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = <nas IP address> NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = <client ip address> Acct-Unique-Session-Id = "e43a1da655ba3ef3" Stripped-User-Name = "<username>" Realm = "<realm>" Timestamp = 1161335279 - auth-detail-YYYYMMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = "<username>@<realm>" User-Password = "190482" NAS-Identifier = "<nas id>" NAS-IP-Address = <nas ip> Proxy-State = 0x323433 Client-IP-Address = <client ip> But with EAP the files has the same form, but username is always "anonymous", because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337
Hi, with which AP has you this values. Because with my dlink DWL-2000+, EAP work but i'm not all this infos :( Franck
Hello,
I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication.
Until this moment (without EAP) the accounting information collected by freeradius is in the form:
- detail-YYYYMMDD:
Fri Oct 20 11:07:59 2006 User-Name = "<username>@<realm>" NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = "172.18.201.166" Acct-Status-Type = Start Acct-Session-Id = "15D003FA" Tunnel-Client-Endpoint:0 = "172.18.201.166" Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = <nas IP address> NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = <client ip address> Acct-Unique-Session-Id = "e43a1da655ba3ef3" Stripped-User-Name = "<username>" Realm = "<realm>" Timestamp = 1161335279
- auth-detail-YYYYMMDD:
Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = "<username>@<realm>" User-Password = "190482" NAS-Identifier = "<nas id>" NAS-IP-Address = <nas ip> Proxy-State = 0x323433 Client-IP-Address = <client ip>
But with EAP the files has the same form, but username is always "anonymous", because the real authentication is made through the tunnel connection.
I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files.
Thanks.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes. It's possible. Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no -----Original Message----- From: freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.org [mailto:freeradius-users-bounces+mking=bridgew.edu@lists.freeradius.org] On Behalf Of Angel L. Mateo Sent: Friday, October 20, 2006 5:12 AM To: FreeRadius users mailing list Subject: EAP and accounting Hello, I am developing my freeradius server (version 1.1.2) to use it in a WPA wireless environment with EAP authentication. Until this moment (without EAP) the accounting information collected by freeradius is in the form: - detail-YYYYMMDD: Fri Oct 20 11:07:59 2006 User-Name = "<username>@<realm>" NAS-Port = 2161 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = X.X.X.X Class = 0x69636172756d Calling-Station-Id = "172.18.201.166" Acct-Status-Type = Start Acct-Session-Id = "15D003FA" Tunnel-Client-Endpoint:0 = "172.18.201.166" Acct-Authentic = RADIUS Acct-Delay-Time = 0 NAS-IP-Address = <nas IP address> NAS-Port-Type = Virtual Proxy-State = 0x323034 Client-IP-Address = <client ip address> Acct-Unique-Session-Id = "e43a1da655ba3ef3" Stripped-User-Name = "<username>" Realm = "<realm>" Timestamp = 1161335279 - auth-detail-YYYYMMDD: Packet-Type = Access-Request Fri Oct 20 11:10:14 2006 User-Name = "<username>@<realm>" User-Password = "190482" NAS-Identifier = "<nas id>" NAS-IP-Address = <nas ip> Proxy-State = 0x323433 Client-IP-Address = <client ip> But with EAP the files has the same form, but username is always "anonymous", because the real authentication is made through the tunnel connection. I want to know if there is any way to configure radius to log the real username instead of anonymous in the log files. Thanks. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió:
Yes. It's possible.
Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists
# The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no
Hello, I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username "anonymous" instead the username inside the tunneled request. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337
"Angel L. Mateo" <amateo@um.es> wrote:
I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username "anonymous" instead the username inside the tunneled request.
Because that's the only user name that the NAS sees. Use the "Class" attribute to set a per-session ID for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
Angel L. Mateo -
Franck -
King, Michael