User-Name missing realm in Access-Accept

David Aldwinckle daldwinc at uwaterloo.ca
Wed Aug 12 18:07:27 CEST 2015 

Hi Alan,

Thanks for the advice. I know the version is a little old. I am waiting for 3.1 final before doing an overhaul.

Our clients are instructed to use their real userid as the outer and inner ID.

I wasn't really clear on your final suggestion. I interpreted it as follows:

in sites-enabled/default add

post-auth {
...
        update reply {
                        User-Name = "%{outer.request:User-Name}"
                }
...
}

That did not have the desired effect. Did I misunderstand?

Thanks,
Dave

On Wed, 2015-08-12 at 15:41 +0000, A.L.M.Buxey at lboro.ac.uk wrote:


Hi,

> FreeRADIUS Version 2.1.12

first advice - upgrade to at least 2.2.9

> It has been brought to my attention that my FreeRadius servers are
> responding to proxied requests from eduroam without the suffix portion
> of the user name. This is causing accounting issues for other
> institutions.

yep.... but the code you have added would do something worse and expose
the real inner user-name of the user, therefore totally destroying the
point of anonymous outerid and revealing who they really are to the
site they are at. breaking privacy/anonymity.  IF their outer-id already
has their details eg user1 at realm.com<mailto:user1 at realm.com> - then you can reply with that...but
if their outerid is just annymous at realm.com<mailto:annymous at realm.com> or just @realm.com then
you need to reply with that in the outer-id

> I see the Access-Accept messages going out, without the suffix:
>
> Sending Access-Accept of id 62 to 142.231.112.1 port 53243
>       MS-MPPE-Recv-Key =
> 0xd720476081b3ec7b8f7529a32f4c2c06f786a2c39aa888c7f157784db7673b47
>       MS-MPPE-Send-Key =
> 0x593de7fcae5ba512dec5d348b4500dea9ba73044c2c68ee661f7214a073377dd
>       EAP-Message = 0x030b0004
>       Message-Authenticator = 0x00000000000000000000000000000000
>       User-Name = "user1"
>       Proxy-State = 0x4f53432d457874656e6465642d49643d3138323338

probably because in the inner-id they only have their username without the
realm anyway?  update the reply in outer-id post-auth - looking at
original request there...and ensuring you dont break what they as users chose to
have configured

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list