Capturing the inner authentication ID for Radius accounting

CHui CHui at lbl.gov
Fri Jan 27 22:25:23 CET 2006


I have been looking for a way to maintain accurate wireless access and usage
information for security auditing purposes.  The problem I have is that
wireless network users may choose to provide an alternative identity by
providing an outer identity in the supplicant software. Although the user
still need a legitimate user id/password to pass the EAP TTLS
authentication.  So far I could not find a "standard" way to track the user
identity via Radius accounting records.  I do manage to configure the
FreeRadius to send the inner authentication user ID to the Cisco Aironet
Access point (IOS 12.3(7)JA) using the Radius attribute "Class" (ID 25).  

For example, in my users file, the following is configured for guest access:

  DEFAULT  Hint == "guest" 
           Auth-Type = sql,
           Class = "%{User-Name}", 
           Session-Timeout = 3600, 
           Fall-Through = No

The actual user id used in the EAP-TTLS authentication is passed to the
Cisco Aironet AP via the Class attribute.  I have observed that both the
Radius "start" and "stop" records sent by the Cisco Aironet AP contained the
Class attribute with the actual user's ID.  The reason I chose the Class
attribute is that it is the only attribute honored by the Aironet AP in
Access-Accept message and also included in the radius accounting send by the
Aironet AP according to the Cisco IOS Software Config Guide for Aironet APs.

Although it seems to work for me, I am not sure about the use of attribute
Class for tracking user ID would interfere with other operation (like the
one attribute Class was originally designed for)?  

Also, the attribute Class is of type Octet.  Does anyone know of a way to
convert it to text in SQL?  I would like to convert it to text before
writing it into the mySQL database, preferably by way of the
accounting_xx_query in the sql.conf file.

Thanks 
Cedric




More information about the Freeradius-Users mailing list