anonymous user when proxying

Wed Feb 13 16:35:16 CET 2013

If users choose to protect their identity that is their prerogative.  Using an anonymous outer identity in eduroam is best practice and you certainly shouldn't reject a user because they use an anonymous outer identity (see the eduroam service policy).

The best you can do is configure your radius server to request a CUI from the IdP. However given how few sites implement CUI you won't get many responses.

Regards

Scott Armitage

Hocine M <hocine.maoucha at free.fr> wrote:

Hi,

Some user who are proxied (eduroam) are acconted with username = anonymous at realm
I don't want to have  anonymous user in my database, do i have to reject anonymous users in post-proxy section or there is something to do to force user to use inner identity?

here are files :

pre-proxy-detail-20130213 :

Wed Feb 13 14:03:47 2013
    Packet-Type = Access-Request
    NAS-Port-Id = "AP86/1"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    Service-Type = Framed-User
    EAP-Message = 0x0201001f01616e6f6e796d6f75734073742d616e64726577732e61632e756b
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    NAS-Port = 25861
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Message-Authenticator = 0x0393b59dea7efd51d506eb73899531ef
    Realm = "st-andrews.ac.uk"
    EAP-Type = Identity
    Proxy-State = 0x313031

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Request
    NAS-Port-Id = "AP86/1"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    Service-Type = Framed-User
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    NAS-Port = 25861
    State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8
    EAP-Message = 0x020200381500160301002d01000029030193958cf5417b1d83d6a46747e4273b6050850d0a2360fec88d289a1381663830000002000a0100
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Message-Authenticator = 0x5b389846257ea4135f53a64e6e1c5a48
    Realm = "st-andrews.ac.uk"
    EAP-Type = EAP-TTLS
    Proxy-State = 0x313032

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Request
    NAS-Port-Id = "AP86/1"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    Service-Type = Framed-User
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    NAS-Port = 25861
    State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8
    EAP-Message = 0x020300061500
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Message-Authenticator = 0x33638595ef790cd81017538ba1b1aaca
    Realm = "st-andrews.ac.uk"
    EAP-Type = EAP-TTLS
    Proxy-State = 0x313033

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Request
    NAS-Port-Id = "AP86/1"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    Service-Type = Framed-User
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    NAS-Port = 25861
    State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8
    EAP-Message = 0x0204014415001603010106100001020100543ce46842671b13a26b6cad59606bbe3e16c719ec529a476cad7c24bba97b253fb329f026b315098d3de8579f70193cfec9194b6874fab251539c927a85ef58914e6803758fe652d3f6aa75adb2194f12ed7670d81902cbaed23c93d1f099584e53b0dc7d5b2394cc2354b8681874efa66293cf0c6fa9a900311fb678ca09a4e2b58938f9f0ecc9bf5f2a03a7026b27e883863bf1e2c070716a198a0137441acdca2108707473328f187aefb3304e25fd244a9b799bff15c011f21fe5c4ecc81eff6bcfff66d5bc6ba8af469fc50faa1310e3aa2d395d33ef55c841a54a6e6837403084d77472bb51bca7
    EAP-Message = 0x9931b51bda9aa98affffd17d58055fef6e5e84b3371403010001011603010028ddea1f8780c6a9d3720778e46e560fd071eb9f9d57122dba9896f9ceb57a1b2a8362520d84d02749
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Message-Authenticator = 0x7612d9dc287bd580845d59f08dcfbe34
    Realm = "st-andrews.ac.uk"
    EAP-Type = EAP-TTLS
    Proxy-State = 0x313034

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Request
    NAS-Port-Id = "AP86/1"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    Service-Type = Framed-User
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    NAS-Port = 25861
    State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8
    EAP-Message = 0x02050053150017030100480e445bd302a42efdfef640de32d514973a61346521acdd65dc5bc693613769788942c27a2d6094dbc6da60622adb4cdf5554289d9f25f984016a59b3644d7f26e6add7c54d1f707a
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Message-Authenticator = 0x7bd5e919aa147bf656ec791de2e403ad
    Realm = "st-andrews.ac.uk"
    EAP-Type = EAP-TTLS
    Proxy-State = 0x313035

Wed Feb 13 14:03:49 2013
    Packet-Type = Accounting-Request
    Acct-Status-Type = Start
    Acct-Authentic = RADIUS
    Acct-Multi-Session-Id = "SESS-25861-54b752-760627-f3b"
    Acct-Session-Id = "SESS-25861-54b752-760627-f3b"
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    Event-Timestamp = "Feb 13 2013 14:03:49 CET"
    Trapeze-VLAN-Name = "EduExterieurs"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    NAS-Port-Id = "AP86/1"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    NAS-Port = 25861
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Acct-Delay-Time = 0
    Acct-Unique-Session-Id = "b99f09261adf3886"
    Realm = "st-andrews.ac.uk"
    SQL-User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    Proxy-State = 0x313036

Wed Feb 13 14:03:49 2013
    Packet-Type = Accounting-Request
    Acct-Status-Type = Interim-Update
    Acct-Authentic = RADIUS
    Acct-Multi-Session-Id = "SESS-25861-54b752-760627-f3b"
    Acct-Session-Id = "SESS-25861-54b752-760627-f3b"
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    Event-Timestamp = "Feb 13 2013 14:03:49 CET"
    Trapeze-VLAN-Name = "EduExterieurs"
    Calling-Station-Id = "94-39-E5-B7-CB-51"
    NAS-Port-Id = "AP86/1"
    Called-Station-Id = "00-0B-0E-D2-CD-40:eduroam"
    NAS-Port = 25861
    Framed-IP-Address = 10.56.0.150
    Acct-Session-Time = 0
    Acct-Output-Octets = 6503
    Acct-Input-Octets = 852
    Acct-Output-Packets = 33
    Acct-Input-Packets = 9
    NAS-Port-Type = Wireless-802.11
    NAS-IP-Address = 192.168.58.5
    NAS-Identifier = "Trapeze"
    Acct-Delay-Time = 0
    Acct-Unique-Session-Id = "b99f09261adf3886"
    Realm = "st-andrews.ac.uk"
    SQL-User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    Proxy-State = 0x313037

post-proxy-detail-20130213:

Wed Feb 13 14:03:47 2013
    Packet-Type = Access-Challenge
    EAP-Message = 0x010200061520
    Message-Authenticator = 0x5597c09a77425ab825ec3249891e2190
    State = 0xe5a5ab65e5a7be1056566c4c9fd4c6e8
    Proxy-State = 0x313031
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Challenge
    EAP-Message = 0x0103040015c000000426160301002a020000260301511b8f3420e5713350ca0008fb4b0904145906a53e211cb61db1fd571414111800000a0016030103e90b0003e50003e20003df308203db308202c3a0030201020202108d300d06092a864886f70d01010505003081bb310b300906035504061302554b310d300b0603550408130446696665311330110603550407130a537420416e64726577733121301f060355040a1318556e6976657273697479206f6620537420416e647265777331163014060355040b130d492e542e205365727669636573312330210603550403131a4d6173746572205369676e696e6720436572746966696361746531
    EAP-Message = 0x28302606092a864886f70d010901161968656c706465736b4073742d616e64726577732e61632e756b301e170d3130303431363134303331335a170d3135303431353134303331335a30818b310b300906035504061302554b310d300b0603550408130446696665311330110603550407130a537420416e64726577733121301f060355040a1318556e6976657273697479206f6620537420416e647265777331143012060355040b130b4954205365727669636573311f301d06035504031316646f7431782e73742d616e64726577732e61632e756b30820122300d06092a864886f70d01010105000382010f003082010a0282010100a42b67c8fe
    EAP-Message = 0xac898a6ff076b45546f0eadd4054160dab6ff22693f47ff8217e6203e5d73339911bdd652fcdd50bca222bb4f113bba43ca950352911846707d72d007d726db92bff563f146da81c890a1f9e046e3fe5369b755681c093080edbe34427968a577747e49c3306da3da721b3f431325f1da3f651c079f49fc3bca1d76b99ca49373a2b8083be24ec6751148d4406eae859b13e9486e40203b2e870a712b0eb5f461579a46076ad243717d1e8d666848a6026d6dd877a73f581077d02af0c6dc4e03f76645940a5e36ac51a96bc4d8d8758c4e4a3a8b0c82e23d2ca36c096891670743a6a294d0bfb75f85fef1f27c8f2f7b721a937d88a3af4da3bf10203
    EAP-Message = 0x010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003c2109c25dafc3dc5acd8145182e2aab462ff5e5d5fe33c159c890caf25919c18b94b6447f1994ea8360d24d7677befde5db7f288e9379e6193c58e39b76bd14e9460b84885d0f130ae7f0bbe0abf7b54fede8e1d0d76a000730adfe1ac92d5a40ade8367d687554e17ca07780edb8361dc477fe8523721600546eaf0fd6ed4616adc511f35408ce32bc908ac5caf30e09b01232201f86b1c837bcf731a6dfadf2384eaf80ee0aeb6607dabce2e94aabe0e3b9a15a779ca9e3b1bf58efccc4ce7f623169c047773b4c442e6849
    EAP-Message = 0x4dc85a6e5d33d2bdb3247c15
    Message-Authenticator = 0x65e248512615f7c513c0946bf35d2094
    State = 0xe5a5ab65e4a6be1056566c4c9fd4c6e8
    Proxy-State = 0x313032
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Challenge
    EAP-Message = 0x0104003a1580000004263f3dc8215cb0cd7c8e55b65d99c04451783bdf02bcec5dd8d2aae8f0b200d88a80c0dbbe5d61a016030100040e000000
    Message-Authenticator = 0x622409db334bce79661140feed35eb90
    State = 0xe5a5ab65e7a1be1056566c4c9fd4c6e8
    Proxy-State = 0x313033
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Challenge
    EAP-Message = 0x0105003d1580000000331403010001011603010028bc24baaea5a666880bc51e50e5edd318c5984f5fbb499801b149ec4685d4804f164953085d88543f
    Message-Authenticator = 0x129341e8d29515e6b24d6f4687c8244b
    State = 0xe5a5ab65e6a0be1056566c4c9fd4c6e8
    Proxy-State = 0x313034
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

Wed Feb 13 14:03:48 2013
    Packet-Type = Access-Accept
    MS-MPPE-Recv-Key = 0x4b2d91740191458acc38de7dcfb4828b37f1fb0e013090b33a84e049e99a85d0
    MS-MPPE-Send-Key = 0xa35c6c8f0eabc237d0669b193b03fe04ab71c4491d5f230b2e759bd4b5b652e0
    EAP-Message = 0x03050004
    Message-Authenticator = 0x471f3cfb0d19035d3ea901137dcb7c57
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>
    Proxy-State = 0x313035

Wed Feb 13 14:03:49 2013
    Packet-Type = Accounting-Response
    Proxy-State = 0x313036
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

Wed Feb 13 14:03:49 2013
    Packet-Type = Accounting-Response
    Proxy-State = 0x313037
    User-Name = "anonymous at st-andrews.ac.uk"<mailto:anonymous at st-andrews.ac.uk>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130213/7228bce1/attachment-0001.html>