Acct-Authentic & changing usernames

Alan DeKok aland at deployingradius.com
Thu Feb 14 14:45:43 CET 2008


Phil Mayers wrote:
> We're bringing a Cisco (formerly Airespace) lightweight wireless system
> online, and I'm seeing some odd things in the accounting.
> 
> Specifically, the usernames can change in the accounting packets.

  The NAS is broken.

  Some NASes do "helpful" things like snoop traffic, and update RADIUS
accounting information based on that.  e.g. "anonymous" is seen in TTLS,
but "bob" logs in via Windows.  So the accounting User-Name is updated
to be "bob".

> It seems the NAS is having a changing view of the authentication
> username as various events take place, presumably at the EAPOL layer.

  Nope.  It's snooping IPv4 traffic.

> Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort
> of "holds onto" client sessions in case they come back shortly (not
> unusual for wireless) but I'm wondering if this behaviour is legal, sane
> or what?

  The behavior is wrong.  It's not forbidden in RFC 2866, but it's retarded.

> I can probably fix our SQL queries, but I thought people might be
> interested; for interest, what was the original rationale behind the
> where clause in the default SQL queries:
> 
>  where username='%{SQL-User-Name}'

  Realms.

  Alan DeKok.





More information about the Freeradius-Users mailing list