FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Alex Perez-Mendez Alex.Perez-Mendez at jisc.ac.uk
Thu Nov 22 18:19:03 CET 2018


Hi Thorsten,

I did not know you migrated from 2.x to 3.x. Sure there will plenty of 
changes, not only related to these ones. In any case, have you noticed 
this excerpt in the inner_tunnel file?

     #
     #  Instead of "use_tunneled_reply", change this "if (0)" to an
     #  "if (1)".
     #
     if (0) {
         #
         #  These attributes are for the inner-tunnel only,
         #  and MUST NOT be copied to the outer reply.
         #
         update reply {
             User-Name !* ANY
             Message-Authenticator !* ANY
             EAP-Message !* ANY
             Proxy-State !* ANY
             MS-MPPE-Encryption-Types !* ANY
             MS-MPPE-Encryption-Policy !* ANY
             MS-MPPE-Send-Key !* ANY
             MS-MPPE-Recv-Key !* ANY
         }

         #
         #  Copy the inner reply attributes to the outer
         #  session-state list.  The post-auth policy will take
         #  care of copying the outer session-state list to the
         #  outer reply.
         #
         update {
             &outer.session-state: += &reply:
         }
     }

Just switch that (0) to (1) and comment the line regarding User-Name.
Also, add

         update reply {
              User-Name := &request:User-Name
         }

to the beginning of the post-auth section in that file.

Regards,
Alejandro

El 22/11/18 a las 16:02, Thorsten Fritsch escribió:
> Hi Alejandro,
>
> thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
> from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:
>
> Access Accept from FR to NAS:
> (22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Type = VLAN
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Medium-Type = IEEE-802
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Private-Group-Id = "822"
> (22) Tue Nov 20 16:51:07 2018: Debug:   User-Name := "anonymous at unibas.ch<mailto:anonymous at unibas.ch>"
> (22) Tue Nov 20 16:51:07 2018: Debug:   Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
> (22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
> (22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
> (22) Tue Nov 20 16:51:07 2018: Debug:   EAP-Message = 0x030b0004
> (22) Tue Nov 20 16:51:07 2018: Debug:   Message-Authenticator = 0x00000000000000000000000000
>
> Accounting Request from NAS to FR Port 1813 (Accounting Server):
> (11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
> (11) Tue Nov 20 11:23:28 2018: Debug:   User-Name = "anonymous at unibas.ch<mailto:anonymous at unibas.ch>"
> (11) Tue Nov 20 11:23:28 2018: Debug:   Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
> (11) Tue Nov 20 11:23:28 2018: Debug:   NAS-Port = 8
> (11) Tue Nov 20 11:23:28 2018: Debug:   NAS-IP-Address = 10.33.6.2
> (11) Tue Nov 20 11:23:28 2018: Debug:   Framed-IP-Address = 10.172.40.114
>
> It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.
>
> Thanks,
> Thorsten
>
>
> From: Alejandro Perez-Mendez [via FreeRADIUS] <ml+s1045715n5752719h84 at n5.nabble.com>
> Sent: Tuesday, 20 November 2018 16:38
> To: Thorsten Fritsch <thorsten.fritsch at unibas.ch>
> Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
>
> Hi Thorsten,
>
> We found a similar issues where User-Name was being duplicate, having
> both, inner and outer values.
> That made that some NAS were taking the outer one since it appeared first.
>
> We pushed a fix upstream
> https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30
>
> If your issue is the same, you just need to backport that change to your
> "default" site and check whether it fixes it.
>
> Best regards,
> Alejandro
>
> El 19/11/18 a las 16:05, Thorsten Fritsch escribió:
>
>> Hi guys,
>>
>> we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
>> seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
>> hard to identify our eduroam users (user tracking).
>>
>> Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
>> case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
>> We have set this setting to yes in our config:
>>
>> ttls {
>>                   tls = tls-common
>>                   default_eap_type = mschapv2
>>                   copy_request_to_tunnel = yes
>>                   use_tunneled_reply = yes
>>                   virtual_server = "eduroam-inner-tunnel"
>>           }
>>
>>           peap {
>>                   tls = tls-common
>>                   default_eap_type = mschapv2
>>                   copy_request_to_tunnel = yes
>>                   use_tunneled_reply = yes
>>                   virtual_server = "eduroam-inner-tunnel"
>>           }
>>
>> Thanks for your help.
>>
>> Cheers,
>> Thorsten
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> --
> Alejandro Perez-Mendez
> Technical Specialist (AAA), Trust & Identity
> M (+34) 619 333 219
> Skype alejandro_perez_mendez
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ________________________________
> If you reply to this email, your message will be added to the discussion below:
> http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
> To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
> NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk




More information about the Freeradius-Users mailing list