Logging authentication attempts while TLS session resumption (caching) is enabled

Jason Wittlin-Cohen jwittlincohen at gmail.com
Fri Dec 12 23:39:11 CET 2008


When authenticating via PEAP or TTLS with an anonymous identity, the log
shows both the anonymous identity and the real identity tunneled through the
TLS tunnel. However, when TLS session resumption (caching) is enabled, only
the anonymous identity is logged. This is presumably due to the fact that
the user is not actually sending the real ID and password through the
tunnel; rather the saved session is being used. However, being that the
tunneled username is still available, and obtained from the cache, it should
be available to log. Is this the intended behavior? It would seem that
logging authentication attempts would be more useful if the real username
was provided in addition to the anonymous identity.

Caching disabled:

Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Jason Wittlin-Cohen] (from
client Wireless port 0 via TLS tunnel)
Fri Dec 12 17:35:38 2008 : Auth: Login OK: [Anonymous] (from client Wireless
port 55 cli 0013e87d571d)

Caching enabled:

Fri Dec 12 17:35:56 2008 : Auth: Login OK: [Anonymous] (from client Wireless
port 55 cli 0013e87d571d)

However, the tunneled username does seem to be available. It's obtained from
the cache and added to the Access-Accept message:

[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[peap] Adding cached attributes to the reply:
        User-Name = "Jason Wittlin-Cohen"

Jason

-- 
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-cohen at yale.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081212/78f14599/attachment.html>


More information about the Freeradius-Users mailing list