FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Thu Nov 22 16:02:38 CET 2018

Hi Alejandro,

thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:

Access Accept from FR to NAS:
(22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Type = VLAN
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Medium-Type = IEEE-802
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Private-Group-Id = "822"
(22) Tue Nov 20 16:51:07 2018: Debug:   User-Name := "anonymous at unibas.ch<mailto:anonymous at unibas.ch>"
(22) Tue Nov 20 16:51:07 2018: Debug:   Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
(22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
(22) Tue Nov 20 16:51:07 2018: Debug:   EAP-Message = 0x030b0004
(22) Tue Nov 20 16:51:07 2018: Debug:   Message-Authenticator = 0x00000000000000000000000000

Accounting Request from NAS to FR Port 1813 (Accounting Server):
(11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
(11) Tue Nov 20 11:23:28 2018: Debug:   User-Name = "anonymous at unibas.ch<mailto:anonymous at unibas.ch>"
(11) Tue Nov 20 11:23:28 2018: Debug:   Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(11) Tue Nov 20 11:23:28 2018: Debug:   NAS-Port = 8
(11) Tue Nov 20 11:23:28 2018: Debug:   NAS-IP-Address = 10.33.6.2
(11) Tue Nov 20 11:23:28 2018: Debug:   Framed-IP-Address = 10.172.40.114

It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.

Thanks,
Thorsten

From: Alejandro Perez-Mendez [via FreeRADIUS] <ml+s1045715n5752719h84 at n5.nabble.com>
Sent: Tuesday, 20 November 2018 16:38
To: Thorsten Fritsch <thorsten.fritsch at unibas.ch>
Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Hi Thorsten,

We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.

We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30

If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.

Best regards,
Alejandro

El 19/11/18 a las 16:05, Thorsten Fritsch escribió:

> Hi guys,
>
> we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
> seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
> hard to identify our eduroam users (user tracking).
>
> Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
> case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
> We have set this setting to yes in our config:
>
> ttls {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
>          peap {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
> Thanks for your help.
>
> Cheers,
> Thorsten
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>