radwho question....

tnt at kalik.co.yu tnt at kalik.co.yu
Wed Oct 3 21:34:07 CEST 2007


The fact that you have added that entry to the users file doesn't mean
that it will get matched and processed. You haven't posted the whole
debug so it's hard to be sure, but my guess is that this is the problem
(from users file):

#       When an authentication request is received from the comm server,
#       these values are tested. Only the first match is used unless the
#       "Fall-Through" variable is set to "Yes".
#
#       A special user named "DEFAULT" matches on all usernames.
#       You can have several DEFAULT entries. All entries are processed
#       in the order they appear in this file. The first entry that
#       matches the login-request will stop processing unless you use
#       the Fall-Through variable.
#

Ivan Kalik
Kalik Informatika ISP


Dana 3/10/2007, "Chris Bradshaw" <cwbshaw at gmail.com> piše:

>Hi....
>
>The debug output was pretty much the same as my first email. I have
>attached it below anyway. This debug output was taken with freeradius
>1.1.7 and the following configured:
>
>* Enabled use_tunneled_reply & copy_request_to_tunnel.
>
>* Have the following in the users file:
>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
>       User-Name := `%{User-Name}`
>
>Am I correct in saying that the NAS will send an Accounting-Request
>using the User-Name it received in the previous Access-Accept?
>
>If so, how can it be the fault of the NAS if freeradius (in spite of
>trying the settings above) is still sending an Access-Accept with
>User-Name set to anonymous?
>
>TIA
>
>Chris.
>
>
>rlm_ldap: user t00037191 authenticated succesfully
>rlm_sql (sql): Processing sql_postauth
>rlm_sql (sql): Reserving sql socket id: 4
>rlm_sql (sql): Released sql socket id: 4
>  TTLS: Got tunneled reply RADIUS code 2
>        Tunnel-Private-Group-Id:1 = "90"
>        Tunnel-Medium-Type:1 = IEEE-802
>        Tunnel-Type:1 = VLAN
>        Session-Timeout = 900
>rlm_sql (sql): Processing sql_postauth
>rlm_sql (sql): Reserving sql socket id: 3
>rlm_sql (sql): Released sql socket id: 3
>Sending Access-Accept of id 58 to 10.11.2.91 port 1645
>        Tunnel-Private-Group-Id:1 = "90"
>        Tunnel-Medium-Type:1 = IEEE-802
>        Tunnel-Type:1 = VLAN
>        Session-Timeout = 900
>        MS-MPPE-Recv-Key =
>0x916f89b88b0096fa19178e281a02f35c1291005c5942e5a2c5e1257e45d0e658
>        MS-MPPE-Send-Key =
>0x63d4685ca902be7473bcf3d62d730a77c5fe4648aab0834fac5f41178a424a7d
>        EAP-Message = 0x03080004
>        Message-Authenticator = 0x00000000000000000000000000000000
>        User-Name = "anonymous"
>rad_recv: Accounting-Request packet from host 10.11.2.91:1646, id=143,
>length=229
>        Acct-Session-Id = "00002246"
>        Called-Station-Id = "0011.5cc7.1be0"
>        Calling-Station-Id = "0090.4b28.86b0"
>        Cisco-AVPair = "ssid=ittwlan"
>        Cisco-AVPair = "vlan-id=90"
>        Cisco-AVPair = "nas-location=unspecified"
>        User-Name = "anonymous"
>        Cisco-AVPair = "connect-progress=Call Up"
>        Acct-Authentic = RADIUS
>        Acct-Status-Type = Start
>        NAS-Port-Type = Wireless-802.11
>        Cisco-NAS-Port = "7190"
>        NAS-Port = 7190
>        Service-Type = Framed-User
>        NAS-IP-Address = 10.11.2.91
>        Acct-Delay-Time = 0
>rlm_sql (sql): Reserving sql socket id: 2
>rlm_sql (sql): Released sql socket id: 2
>
>
>
>On 03/10/2007, Alan DeKok <aland at deployingradius.com> wrote:
>> Chris Bradshaw wrote:
>> > However, I have tried the suggestions in this reply:
>> >
>> > * Enable use_tunneled_reply & copy_request_to_tunnel (I already had
>> > these enabled).
>> >
>> > * Have the following in the users file:
>> > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
>> >         User-Name := `%{User-Name}`
>>
>>   And... what do you see in the Access-Accept when you run in debugging
>> mode?
>>
>> > ....but it still makes no difference.....radwho still returns
>> > 'anonymous' whenever I log in.
>>
>>   Stop looking at radwho.  It's output is WAY down the chain of cause
>> and effect.
>>
>>   1) ensure that the real user name is in the Access-Accept.
>>      If not, make it appear there.
>>   2) ensure that the accounting request contains the real user name
>>      If it contains "anonymous", buy a real NAS.  Your NAS is broken.
>>
>>   After that, radwho *should* do the right thing.
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list