Inner identity in accounting logs
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Thu Feb 19 18:45:03 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arran Cudbard-Bell wrote:
> Alan DeKok wrote:
>> Jonathan Gazeley wrote:
>>> I'm running FreeRADIUS 2.1.1.
>>>
>>> My config block in the post-auth section of the inner-tunnel server
>>> currently reads:
>>>
>>> update outer.reply {
>>> User-Name := "testing-%{User-Name}"
>>> }
>>>
>>>
>>> FR does indeed appear to be using this block:
>> Just checking this again...
>
>>> expand: testing-%{User-Name} -> testing-jg4461
>>> ++[outer.reply] returns ok
>>>
>>> Authenticating with outer ID "qwerty99" and inner ID "jg4461" gives
>>> output as in the attached log, included to give context. The outer
>>> server is "uobresnet" and the inner one is still called "inner-tunnel".
>> This works for me in the most recent git tree. I set "outer.reply"
>> with a different User-Name, and I see it in the final reply.
>
> Ok, i'll confirm that shortly...
Yep it works:
rad_recv: Access-Request packet from host 139.184.8.16 port 1024, id=90,
length=312
Framed-MTU = 1480
NAS-IP-Address = 139.184.8.16
NAS-Identifier = "hp-e-uscs-dev-h-sw1"
User-Name = "anonymous at sussex.ac.uk"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = "1"
Called-Station-Id = "00-14-38-fb-94-00"
Calling-Station-Id = "00-1f-5b-33-42-a1"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
[ttls] Got tunneled request
User-Name = "ac221"
User-Password = "***"
FreeRADIUS-Proxied-To = 127.0.0.1
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
expand: %{Stripped-User-Name} -> ac221
++[outer.reply] returns noop
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[ttls] Saving response in the cache
++[eap] returns ok
++? if ("%{reply:User-Name}")
expand: %{reply:User-Name} -> ac221
? Evaluating ("%{reply:User-Name}") -> TRUE
++? if ("%{reply:User-Name}") -> TRUE
++- entering if ("%{reply:User-Name}") {...}
expand: %{reply:User-Name} -> ac221
+++[request] returns ok
+++- entering policy uidrewrite {...}
++++? if ("%{request:User-Name}")
expand: %{request:User-Name} -> ac221
? Evaluating ("%{request:User-Name}") -> TRUE
++++? if ("%{request:User-Name}") -> TRUE
++++- entering if ("%{request:User-Name}") {...}
+++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
expand: %{request:User-Name} -> ac221
? Evaluating ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
- -> TRUE
+++++? if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) ->
TRUE
+++++- entering if ("%{request:User-Name}" =~
/^([^@]*)(@([-[:alnum:].]+))?$/) {...}
expand: %{1} -> ac221
++++++[request] returns ok
expand: %{3} ->
expand: %{%{3}:-sussex.ac.uk} -> sussex.ac.uk
++++++[request] returns ok
+++++- if ("%{request:User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/)
returns ok
+++++ ... skipping else for request 20: Preceding "if" was taken
++++- if ("%{request:User-Name}") returns ok
+++- policy uidrewrite returns ok
expand: %{Stripped-User-Name}@%{Stripped-User-Domain} -> ac221 at sussex.ac.uk
+++[reply] returns ok
++- if ("%{reply:User-Name}") returns ok
All good :)
That's with copy_request_to_tunnel = no
and
use_tunneled_reply = no
The complex looking stuff is just the server combining the outer domain
with the inner identity to produce a routeable, non-anonymised username
for the NAS to use in accounting packets...
Thanks,
Arran
- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmdmp8ACgkQcaklux5oVKKQcwCgj8P+xP6PQltZpCpUf4t4DIZy
lLoAn0qmPPGH+eTUg9ielnI5DrAfmvF4
=LsgH
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list