FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
Hi guys, we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it hard to identify our eduroam users (user tracking). Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ? We have set this setting to yes in our config: ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" } Thanks for your help. Cheers, Thorsten
Hi Thorsten, We found a similar issues where User-Name was being duplicate, having both, inner and outer values. That made that some NAS were taking the outer one since it appeared first. We pushed a fix upstream https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84... If your issue is the same, you just need to backport that change to your "default" site and check whether it fixes it. Best regards, Alejandro El 19/11/18 a las 16:05, Thorsten Fritsch escribió:
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ? We have set this setting to yes in our config:
ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
Thanks for your help.
Cheers, Thorsten
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Hi Alejandro, thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to: Access Accept from FR to NAS: (22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0 (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Type = VLAN (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Medium-Type = IEEE-802 (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Private-Group-Id = "822" (22) Tue Nov 20 16:51:07 2018: Debug: User-Name := "anonymous@unibas.ch<mailto:anonymous@unibas.ch>" (22) Tue Nov 20 16:51:07 2018: Debug: Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436 (22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee (22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d (22) Tue Nov 20 16:51:07 2018: Debug: EAP-Message = 0x030b0004 (22) Tue Nov 20 16:51:07 2018: Debug: Message-Authenticator = 0x00000000000000000000000000 Accounting Request from NAS to FR Port 1813 (Accounting Server): (11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551 (11) Tue Nov 20 11:23:28 2018: Debug: User-Name = "anonymous@unibas.ch<mailto:anonymous@unibas.ch>" (11) Tue Nov 20 11:23:28 2018: Debug: Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436 (11) Tue Nov 20 11:23:28 2018: Debug: NAS-Port = 8 (11) Tue Nov 20 11:23:28 2018: Debug: NAS-IP-Address = 10.33.6.2 (11) Tue Nov 20 11:23:28 2018: Debug: Framed-IP-Address = 10.172.40.114 It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure. Thanks, Thorsten From: Alejandro Perez-Mendez [via FreeRADIUS] <ml+s1045715n5752719h84@n5.nabble.com> Sent: Tuesday, 20 November 2018 16:38 To: Thorsten Fritsch <thorsten.fritsch@unibas.ch> Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username Hi Thorsten, We found a similar issues where User-Name was being duplicate, having both, inner and outer values. That made that some NAS were taking the outer one since it appeared first. We pushed a fix upstream https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84... If your issue is the same, you just need to backport that change to your "default" site and check whether it fixes it. Best regards, Alejandro El 19/11/18 a las 16:05, Thorsten Fritsch escribió:
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ? We have set this setting to yes in our config:
ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
Thanks for your help.
Cheers, Thorsten
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-usern... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>. NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
Hi Thorsten, I did not know you migrated from 2.x to 3.x. Sure there will plenty of changes, not only related to these ones. In any case, have you noticed this excerpt in the inner_tunnel file? # # Instead of "use_tunneled_reply", change this "if (0)" to an # "if (1)". # if (0) { # # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # update reply { User-Name !* ANY Message-Authenticator !* ANY EAP-Message !* ANY Proxy-State !* ANY MS-MPPE-Encryption-Types !* ANY MS-MPPE-Encryption-Policy !* ANY MS-MPPE-Send-Key !* ANY MS-MPPE-Recv-Key !* ANY } # # Copy the inner reply attributes to the outer # session-state list. The post-auth policy will take # care of copying the outer session-state list to the # outer reply. # update { &outer.session-state: += &reply: } } Just switch that (0) to (1) and comment the line regarding User-Name. Also, add update reply { User-Name := &request:User-Name } to the beginning of the post-auth section in that file. Regards, Alejandro El 22/11/18 a las 16:02, Thorsten Fritsch escribió:
Hi Alejandro,
thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:
Access Accept from FR to NAS: (22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0 (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Type = VLAN (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Medium-Type = IEEE-802 (22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Private-Group-Id = "822" (22) Tue Nov 20 16:51:07 2018: Debug: User-Name := "anonymous@unibas.ch<mailto:anonymous@unibas.ch>" (22) Tue Nov 20 16:51:07 2018: Debug: Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436 (22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee (22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d (22) Tue Nov 20 16:51:07 2018: Debug: EAP-Message = 0x030b0004 (22) Tue Nov 20 16:51:07 2018: Debug: Message-Authenticator = 0x00000000000000000000000000
Accounting Request from NAS to FR Port 1813 (Accounting Server): (11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551 (11) Tue Nov 20 11:23:28 2018: Debug: User-Name = "anonymous@unibas.ch<mailto:anonymous@unibas.ch>" (11) Tue Nov 20 11:23:28 2018: Debug: Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436 (11) Tue Nov 20 11:23:28 2018: Debug: NAS-Port = 8 (11) Tue Nov 20 11:23:28 2018: Debug: NAS-IP-Address = 10.33.6.2 (11) Tue Nov 20 11:23:28 2018: Debug: Framed-IP-Address = 10.172.40.114
It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.
Thanks, Thorsten
From: Alejandro Perez-Mendez [via FreeRADIUS] <ml+s1045715n5752719h84@n5.nabble.com> Sent: Tuesday, 20 November 2018 16:38 To: Thorsten Fritsch <thorsten.fritsch@unibas.ch> Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
Hi Thorsten,
We found a similar issues where User-Name was being duplicate, having both, inner and outer values. That made that some NAS were taking the outer one since it appeared first.
We pushed a fix upstream https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84...
If your issue is the same, you just need to backport that change to your "default" site and check whether it fixes it.
Best regards, Alejandro
El 19/11/18 a las 16:05, Thorsten Fritsch escribió:
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ? We have set this setting to yes in our config:
ttls { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
peap { tls = tls-common default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "eduroam-inner-tunnel" }
Thanks for your help.
Cheers, Thorsten
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-usern... To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>. NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Alejandro Perez-Mendez Technical Specialist (AAA), Trust & Identity M (+34) 619 333 219 Skype alejandro_perez_mendez jisc.ac.uk
Hi Thorsten,
update { &outer.session-state: += &reply:
update reply { User-Name := &request:User-Name
we've had these settings since we started FR 3.0, but the problem persisted nevertheless (not all records were affected, though). A software upgrade on the Cisco Wireless controllers (e.g AIR-CT5520-K9) to Version 8.3.143.0 finally did the trick. The NAS has to comply, too, of course. But I suppose in your case it was OK before the RADIUS switch, so the Wireless controller is not the first component to look at. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (3)
-
Alex Perez-Mendez -
Martin Pauly -
Thorsten Fritsch