Freeradius accounting of inner identity when using PEAP
Pietro Accerboni
ace at sissa.it
Tue Dec 27 13:02:22 CET 2011
Hi all,
I'm testing accounting on a freeradius (version 2.1.11). The nas
appliances are Cisco Wireless APs, and I've configured PEAP/MSCHAPv2
authentication (using a openldap backend, where the freeradius server
verify username and passwords).
Anyway, all works, so authentication succeds without issues, and also i
get network access accounting infos on the radius server (i see the 1813
port radius packes, also i can see users with radwho).
The problem arises from the tunneled nature of PEAP. Accounting works, i
guess, only on the esternal attribute User-Name, so all users that
(correctly) configure outer identity with a generic 'anonymous' is
logged in the accounting session with the same, useless, username:
# radwho
Login Name What TTY When From Location
anonymous anonymous shell S276 Tue 11:53 10.4.5.5
But in my configuration freeradius is not only a proxy, it also behave
as a eap server, manage the tls tunnel with the user supplicant, and
verify the inner peap/mschapv2 credentials, so from the freeredius '-X'
log I can see:
------------------------------------
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
[peap] Setting User-Name to 'realusername'
---------------------------------------
Hhere 'realusername' is a placeholder for one of my real users, but i
can get this info only running freeradius with '-X' option.
Is there some practical way to get this information from freeradius or,
better, 'link' this information with the Accounting-Request packets i
get from the nas after the authentication phase?
Thanks in advance
Pietro
More information about the Freeradius-Users
mailing list