Chargeable-User-Identity implementation

Alexander Clouter alex at digriz.org.uk
Tue Nov 16 13:30:12 CET 2010 

Stefan Winter <stefan.winter at restena.lu> wrote:
> 
> since quite a while, there's an implementation of 
> Chargeable-User-Identity in the works by people of eduroam R&D (inside 
> the GEANT3 project).
> 
> Attached is the most recent implementation. We hope that it is worthy of 
> inclusion into the mainline release now: it's a small set of new files 
> (modules/cui, SQL schema definitions) and a few stand-in replacements 
> that augment some shipped files (policy.conf, sites-available/*).
> 
>From my perspective, Chargeable-User-Identity is something that should 
be logged with the 'custom' SQL logging rules being used.  Slipping it 
into a separate table, somehow feels weird; I guess that's what makes me 
a packet-pusher and someone else a database guru :)

Some passing comments, before I show what I do for CUI:
 * I thought Client-IP-Address was deprecated and we all should be using 
	'%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}'
 * section 2.1 of RFC 4372 lets you be awkward about mis-matching CUI's 
	and offers you the option to Reject :)
 * not too sure about the outer.request bits.  It seems cleaner to get 
	the inner layer to return just the User-Name to the outer layer, 
	the outer layer can then add the CUI bits (as if it was a 
	non-EAP request) and trim the User-Name in the reply packet 
	before it sends out the Access-Accept
 * I never thought to add Operator-Name as part of the hash key for CUI, 
	noted for myself, ta
 * not sure about even having cui_require_operator_name as the 
	user's realm would tell you who you need to pester surely?

My approach is a bit more softly-softly (although I will admit it has 
not had any field testing), most of the brains is here in policy.conf:
----
cui {
        if (Realm == "%{config:local.MY.realm}") {
                update control {
                        # md5(cui_hash_key + user at realm)
                        Chargeable-User-Identity := "%{md5:%{config:local.MY.cui_hash_key}%{tolower:%{%{reply:User-Name}:-%{request:User-Name}}}}"
                }

                if ((request:Chargeable-User-Identity)) {
                        update reply {
                                Chargeable-User-Identity := "%{control:Chargeable-User-Identity}"
                        }

                        if (request:Chargeable-User-Identity != "\\000") {
                                if (request:Chargeable-User-Identity != reply:Chargeable-User-Identity) {
                                        update reply {
                                                Reply-Message := "CUI Mismatch"
                                        }
                                        reject
                                }
                        }
                }
                else {
                        update request {
                                Chargeable-User-Identity := "%{control:Chargeable-User-Identity}"
                        }
                }

                ok
        }

        noop
}
----

The for internal clients I have something like[1]:
----
post-auth {
        update reply {
                Operator-Name := "1%{config:local.MY.realm}"
        }

        cui

        [snipped policy]

        [snipped logging]
}

accounting {
        [snipped logging]

        cui

        [snipped logging]
}

pre-proxy {
        if (Packet-Type != "Accounting-Request") {
                update proxy-request {
                        Service-Type := Authenticate-Only
                        Chargeable-User-Identity := "\\000"
                }
        }

        update proxy-request {
                Operator-Name := "1%{config:local.MY.realm}"

                NAS-IP-Address := "%{config:local.MY.addr.lanwarden.v4}"
                NAS-IPv6-Address := "%{config:local.MY.addr.lanwarden.v6}"
        }

        [snipped logging]
}
----

For the roamers:
----
post-auth {
        cui

        [snipped policy]

        [snipped logging]
}
----

For the SQL logging, it is just an extra column on my table:
----
CREATE TABLE dot1x_auth
(
  id bigserial NOT NULL,
  realm character varying(253),
  nas_ip_address inet,
  nas_port_type character varying(32),
  nas_port_id character varying(64),
  calling_station_id character varying(64) NOT NULL,
  called_station_id character varying(64),
  packet_src_address inet NOT NULL,
  nas_identifier character varying(253),
  reply_message character varying(253),
  module_message character varying(253),
  eap_type character varying(16),
  auth_type character varying(16),
  "timestamp" timestamp with time zone NOT NULL,
  packet_type character varying(32) NOT NULL,
  tunnel_private_group_id character varying(32),
  user_name character varying(253) NOT NULL,
  inet_client_addr inet NOT NULL DEFAULT inet_client_addr(),
  nas_port integer,
  nas_ipv6_address inet,
  chargeable_user_identity character varying(253),  <------
  operator_name character varying(253),             <------
  CONSTRAINT dot1x_auth_id PRIMARY KEY (id)
)
----

Cheers

[1] snipped irrelevant bits of course, if anyone wants our full 
	FreeRADIUS config dump to see this in real life then do ask 
	offlist

-- 
Alexander Clouter
.sigmonster says: BOFH excuse #120:
                  we just switched to FDDI.

More information about the Freeradius-Users mailing list