Accounting Packets and Anonymous Identity
Brian Candler
b.candler at pobox.com
Sun Feb 5 12:12:33 CET 2017
On 05/02/2017 04:14, Selahattin Cilek wrote:
> That is what I wanted to know, thank you. The NAS is a Unifi AP and does
> not let me configure EAP behaviour. It is not very successful in RADIUS
> accounting. Since I can't make the NAS behave the way I want, my only
> option is to configure RADIUS to the best of my ability.
I have a test unifi AP (AC Lite) here, and I've set it up with EAP to
demonstrate.
I think what you're trying to say is: if the user logs in with inner
username 'bob', but sets the outer identity to 'foobar', then 'foobar'
is what appears in the accounting packets from the AP.
Sun Feb 5 10:55:08 2017
Acct-Session-Id = "000001D2-00000000"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "foobar"
NAS-Identifier = "44d9e7fc6010"
NAS-Port = 0
Called-Station-Id = "46-D9-E7-FD-60-10:NSRCauth"
Calling-Station-Id = "F8-E0-79-39-9E-6C"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 100.64.2.1
Event-Timestamp = "Feb 5 2017 10:55:08 UTC"
Tmp-String-9 = "ai:"
Acct-Unique-Session-Id = "ca73e0836069597eb01dd8026bd8ffaa"
Timestamp = 1486292108
Most clients provide "anonymous" as the outer identity, so that's what
you're seeing.
It can be argued that using the outer identity in accounting packets is
reasonable behaviour. After all, the whole reason the client chose
"anonymous" was so that a network sniffer could not see their real
identity. If the NAS included the real identity in accounting packets,
then a sniffer would see it.
But you want some way to tie these accounting packets back to the *real*
username. As others have already said, the generic RADIUS solution is to
add a Class attribute to the response, containing the real username (or
indeed, any other string that you like)
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}",
Class := "bob"
You have to edit sites/inner-tunnel so that these attributes are copied
from inner to outer. Depending on the freeradius version you have,
you'll have to uncomment two update sections, or a convert "if (0)" to
"if (1)". If it's a very old freeradius then you have to set
"use_tunneled_reply = yes"
Use tcpdump to check that the changes have worked, i.e. the new
attribute appears in the Access-Accept packet:
11:06:46.165135 IP (tos 0x0, ttl 64, id 18465, offset 0, flags [none],
proto UDP (17), length 206)
100.64.2.2.1812 > 100.64.2.1.55465: RADIUS, length: 178
Access-Accept (2), id: 0x42, Authenticator:
382e45db7e4da3af6b004d97c7ec81bc
Vendor-Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311)
Vendor Attribute: 17, Length: 50, Value:
.$.c.?./7......$n.T5HQ..........D...^..._....:...@
Vendor-Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311)
Vendor Attribute: 16, Length: 50, Value:
..8.1)V.C.;..W....}..f....e...#.g.9TJr..<.....&F..
EAP-Message Attribute (79), length: 6, Value: ..
Message-Authenticator Attribute (80), length: 18, Value: .
.... at .U..6...[
User-Name Attribute (1), length: 8, Value: foobar
* Class Attribute (25), length: 5, Value: bob**
* User-Name Attribute (1), length: 5, Value: bob
And then check your accounting packets:
Sun Feb 5 11:06:46 2017
Acct-Session-Id = "000001D2-00000004"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "foobar"
NAS-Identifier = "44d9e7fc6010"
NAS-Port = 0
Called-Station-Id = "46-D9-E7-FD-60-10:NSRCauth"
Calling-Station-Id = "F8-E0-79-39-9E-6C"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
* Class = 0x626f62**
* NAS-IP-Address = 100.64.2.1
Event-Timestamp = "Feb 5 2017 11:06:46 UTC"
Tmp-String-9 = "ai:"
Acct-Unique-Session-Id = "6cb560fb2afbeb6d08a819cc2782a824"
Timestamp = 1486292806
62 6f 62 = "b" "o" "b"
Regards,
Brian.
More information about the Freeradius-Users
mailing list