Accounting and anonymous outer identity in EAP-TTLS

[Damjan]

I've been searching the mail list about this, but haven't found a
definitive sollution.

The scenario, I'm using WPA2 access points, they are setup to authorize
users against my freeradius server. The freeradius server is setup to
use a MySQL database, and eap-ttls is configured (and that works ok).

My Windows clients connect with the SecureW2 (1) supplicant.

The problem is that radius accounting requests have the User-Name = anonymous
attribute/value, so I can't separate accounting from different users.

I've tried to replace the User-Name in the Access-Accept reply, with
this configuration:
- I have this in the "users" file:
DEFAULT Freeradius­Proxied­To == 127.0.0.1
    User-Name := "%{User-Name}",
    Fall­Through = yes

BTW I've tried User-Name = "%{User-Name} too.

And this is the authorize section in radiusd.conf:

authorize {
        preprocess
        chap
        mschap
        suffix
        eap
        files
        sql
}

The problem is that the Access-Accept reply from freeradius has two
User-Name AV pairs, like this:
  User-Name := "anonymous"
  User-Name := "damjan"

And the accounting packet has the User-Name = "anonymous" AV pair.

Shouldn't the := operator in "user" replace the User-Name = "anonymous",
or it doesn't because files is before sql in the authorize section, and
my users are in the MySQL database?... and if I put sql before files,
that DEFAULT entry will not be triggered, am I right?

Can I just remove UserName from the "authorize_reply_query" SELECT in
sql.conf? Note however that the same radius instance is used for non-EAP
clients too, those clients authenticate through chillispot and use plain
and simple PAP. 


My platform is:
slackware linux 10.1
openssl-0.9.7e
freeradius-1.0.2 (I'd update if that's a sollution but this system has
several radius instances (ports) in production use)

(1) http://www.securew2.com/


-- 
damjan | дамјан
This is my jabber ID --> damjan at bagra.net.mk <-- not my mail address!!!