EAP-TTLS outer identity & accounting

Sam Schultz segfault90 at hushmail.com
Tue Mar 20 19:00:59 CET 2007 


On Tue, 20 Mar 2007 09:38:25 -0500 Alan DeKok 
<aland at deployingradius.com> wrote:
>Sam Schultz wrote:
>>
>> I have set a DEFAULT entry that sets the User-Name attribute via
>> ':=', but I still end up with two User-Name attributes 
>(anonymous
>> identity & real identity). This is especially strange, since 
>> use_tunneled_reply & copy_request_to_tunnel are both enabled as 
>> well. 
>
>  Then it may be a bug.  My tests look like they work, so I'm not 
>sure
>what the difference is with your configuration.

It worked for me right out of the box at one time, too. I have a
feeling it was using either freeradius 1.1.3 or 1.0.3 (or whatever 
FC2 came pre-packaged with). I'll probably test my configuration 
against
an earlier version later & see if I can establish it as a "bug". The
version I've been trying to coerce into working is 1.1.4, which was
compiled from source.

>
>> If I understand correctly, := should replace the anonymous 
>(first)
>> User-Name value with the real (second) value permitting they are 
>in
>> the same session. Upon looking back at the debug output, it 
>looks 
>> like
>> the tunneled request is actually handled as if it were a 
>seperate 
>> request than the one containing it (request->eap module-(unpack)-
>
>>> new request).
>
>  Yes.
>
>> This would explain why two User-Name attributes are showing up 
>in 
>> the
>> final response.
>
>  Not entirely.  If you have use_tunneled_reply = yes, AND you're 
>doing:
>
>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
>	User-Name := `%{User-Name}`
>
>  Then that name should be copied to the outer tunnel, AND the 
>outer
>tunnel SHOULD NOT add the "anonymous" username in the reply, 
>because it
>sees the User-Name copied from the tunnel.  See 
>src/modules/rlm_eap/*.c

I may do this as a last resort. In my experience, code dependent
on openssl tends to be ugly & hard to follow/understand. 

>
>> P.S. A link to a list of known-good access points, or personal
>>      recommendations on access points would also be appreciated.
>
>  See the Wiki.  If you have good experiences, add them to the 
>Wiki.
>
>>      We will be replacing a few 3com APs soon because they don't
>>      play well with...well...ANYTHING. One (3com OfficeConnect)
>>      doesn't even have options for radius account, even though
>>      it advertises the feature right on the box.
>
>  Return them as broken.

I planned on it as soon as I get replacements. It doesn't look like 
3com even has a bug reporting system of any kind. Well, at least 
not for customers who don't have a support contract with them, 
anyway.

>
>  Cisco AP350's seems to be pretty solid.
>
>  Alan DeKok.
>--
>  http://deployingradius.com       - The web site of the book
>  http://deployingradius.com/blog/ - The blog
>- 
>List info/subscribe/unsubscribe? See 
>http://www.freeradius.org/list/users.html

--
Click for free info on adult education and start making $150k/ year
http://tagline.hushmail.com/fc/CAaCXv1S62SI4Y7VFkw7r5uPb1smYR4R/

More information about the Freeradius-Users mailing list