EAP-TTLS outer identity & accounting

Sam Schultz segfault90 at hushmail.com
Thu Mar 15 00:13:40 CET 2007


An entry like:

DEFAULT         Realm == "test", Autz-Type := sql-test
                User-Name = "%{User-Name}"

does add a new User-Name attribute with the proper value, but I 
need a
way to delete the anonymous@ entry still, because I Access-Accepts 
like
this:

Sending Access-Accept of id 134 to 192.168.0.5 port 5190
        User-Name := "anonymous at test"
        User-Name := "test at test"

Followed by Accounting-Requests that still contain the anonymous 
entry,
so it is still using the oldest (first?) User-Name attribute. Is 
there any way at all to REMOVE already set attributes so they aren't
re-sent to the NAS?

For that matter, shouldn't the "use_tunneled_reply = yes" in the 
ttls
module configuration have kept me from having this problem?

I also have copy_request_to_tunnel set to yes, but I doubt that 
should
be causing a problem like this.

On Wed, 14 Mar 2007 13:03:21 -0500 Sam Schultz 
<segfault90 at hushmail.com> wrote:
>On Wed, 14 Mar 2007 11:25:20 -0500 Thibault Le Meur 
><Thibault.LeMeur at supelec.fr> wrote:
>>> -----Message d'origine-----
>>> De : 
>>> freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.free
>>> radius.org 
>>> [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at li
>>> sts.freeradius.org] De la part de Sam Schultz
>>> Envoyé : mercredi 14 mars 2007 17:13
>>> À : freeradius-users at lists.freeradius.org
>>> Objet : Re: EAP-TTLS outer identity & accounting
>>> 
>>> 
>>> 
>>> 
>>> On Tue, 13 Mar 2007 13:15:52 -0500 Alan DeKok 
>>> <aland at deployingradius.com> wrote:
>>> >Sam Schultz wrote:
>>> >>
>>> >> This should be solvable by adding something like
>>> >> 'User-Name = %{User-Name}' to the DEFAULT entries in the 
>>users 
>>> >file,
>>> >> correct?
>>> >
>>> >  Yes.
>>> 
>>> One of my users file DEFAULT entries look like this:
>>> 
>>> DEFAULT         Realm == "test", Autz-Type := sql-test, User-
>>Name = 
>>> "%u"
>>> 
>>> However, FreeRADIUS tells me this:
>>> 
>>> Error: Invalid operator for item User-Name: reverting to '=='
>>> 
>>> I assume I'm not supposed to forcibly change User-Name, so what 
>>> attribute would I set to return the correct username to the 
>NAS? 
>>
>>> I know there is a run-time variable %(reply:User-Name}, would I 
>>> need to somehow update it with the correct value for User-Name 
>>> instead?
>>
>>Yes, by simply adding the User-Name = XXX to the reply items 
>(that 
>>is to say
>>not on the first line). Try something like this:
>
>This didn't make much sense at first, but I think I understand it 
>now.
>What you're saying is that the first line is only for check items,
>which is why I couldn't set User-Name there. The second line and 
>beyond
>then are for, what? Reply items ONLY, or check & reply items? Is 
>this
>documented anywhere? I just did a quick check through the 
>freeradius
>doc directory, and only found a rlm_fastusers document which didn't
>have anything to say about format restrictions.
>
>>
>>DEFAULT         Realm == "test", Autz-Type := sql-test
>>	User-Name=`%{User-Name}`
>>
>>HTH,
>>Thibault
>>
>>
>>
>>- 
>>List info/subscribe/unsubscribe? See 
>>http://www.freeradius.org/list/users.html
>
>--
>Click for free info on online degrees and make $150K/ year
>http://tagline.hushmail.com/fc/CAaCXv1S7YfNF4AEzCH38YxSm8GfpqO2/
>
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click for free info on getting an MBA and make $200K/ year
http://tagline.hushmail.com/fc/CAaCXv1I825CIGoNlzaFbOgSCtxLP6kM/




More information about the Freeradius-Users mailing list