Capturing the inner authentication ID for Radius

CHui CHui at lbl.gov
Tue Jan 31 18:57:52 CET 2006 

>"CHui" <CHui at lbl.gov> wrote:
>> Although it seems to work for me, I am not sure about the use of
attribute
>> Class for tracking user ID would interfere with other operation (like the
> one attribute Class was originally designed for)?  
>
>  It was designed for local sites to do whatever they wanted.  So you're
doing the right thing.
>
>> Also, the attribute Class is of type Octet.  Does anyone know of a way to
>> convert it to text in SQL?
>
>  Edit the dictionary, and change "octets" to "string".
>
>  Alan DeKok.

Never thought of simply changing the attribute type in the dictionary file.
Works great. Thanks.

I use the "use_tunneled_reply = yes" in eap.conf to capture the user name
inside of the tunnel.  I have observed that the Class attribute now
contained both the outer identity and the user name from inside the tunnel.

>From the debug output:

Sending Access-Accept of id 170 to 198.128.24.10:1645
	Class = "SomeoneElse"
	Cisco-AVPair = "ssid=CiscoTestAP"
	Session-Timeout = 60
	Class = "chui.guest"
	MS-MPPE-Recv-Key = 0x...
	MS-MPPE-Send-Key = 0x...
	EAP-Message = 0x03070004
	Message-Authenticator = 0x...
	User-Name = "SomeoneElse"
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 198.128.24.10:1646, id=112,
length=262
	Acct-Session-Id = "0600000000000204"
	Called-Station-Id = "0014.a800.44c0"
	Calling-Station-Id = "0002.2d27.05e2"
	Cisco-AVPair = "ssid= CiscoTestAP"
	Cisco-AVPair = "vlan-id=0"
	Cisco-AVPair = "nas-location=unspecified"
	User-Name = "SomeoneElse"
	Cisco-AVPair = "connect-progress=Call Up"
	Acct-Authentic = RADIUS
	Acct-Status-Type = Start
	NAS-Port-Type = Wireless-802.11
	Cisco-NAS-Port = "708"
	NAS-Port = 708
	Class = "SomeoneElse"
	Class = "chui.guest"
	Service-Type = Framed-User
	NAS-IP-Address = 198.128.24.10
	Acct-Delay-Time = 0

In the users file, I have the default entry as follows:

	DEFAULT
		Class = "{User-Name}",
		Fall-Through = No


What should I do to get the Tunnel user name only instead of both send as
reply attribute "Class"?

Thanks
Cedric

More information about the Freeradius-Users mailing list