EAP-TTLS outer identity & accounting
I'm currently using EAP-TTLS & PAP (via SecureW2) to authorize & authenticate wireless clients against specific realms. Users are able to authorize & authenticate properly, but the username in incoming accounting replies come in as 'anonymous@<realmname>'. I had this spitting out proper accounting information before, and haven't changed any configuration options since putting it into production. The only conclusions I can come up with are: 1) The access points are buggy (3com OfficeConnects) 2) FreeRADIUS doesn't keep track of connections properly -- either because it doesn't bother to replace anonymous entries with the previously seen identity for the given ID, or I haven't configured it to do so. I would be inclined to think it was the latter, except that the configuration was working properly previously, and the Accounting-Request packet itself contains anonymous@realm instead of the actual authenticated user. Anyone have any suggestions, or can anyone at least point me to any documentation on this? Click for free info on online masters degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1S74pwqkZuxyoxY1QhnF9TgBDK/
Sam Schultz wrote:
I'm currently using EAP-TTLS & PAP (via SecureW2) to authorize & authenticate wireless clients against specific realms. Users are able to authorize & authenticate properly, but the username in incoming accounting replies come in as 'anonymous@<realmname>'.
You can set "User-Name" in the Access-Accept, and the NAS should use that in Accounting-Requests.
I had this spitting out proper accounting information before, and haven't changed any configuration options since putting it into production. The only conclusions I can come up with are:
1) The access points are buggy (3com OfficeConnects)
No.
2) FreeRADIUS doesn't keep track of connections properly -- either because it doesn't bother to replace anonymous entries with the previously seen identity for the given ID, or I haven't configured it to do so.
No. The problem is that the supplicant is sending "anonymous@..." as the User-Name. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Sam Schultz