How to Reject Anonymous Identity

[Hans-Christian Esperer]

On Fri, Jan 25, 2019 at 10:30:03AM +0100, Olivier wrote:
> 1. Should we say then that, in a Unifi wireless setup powered by an
> SQL-enabled Freeradius accounting backend, simultaneous connection
> control is correctly working or not (beside the issue this thread is about)

I'd say it will work correctly insofar as the SQL backend is able to properly
keep track of currently logged in users regardless of the NAS-Port parameter in
the accounting packages, but I haven't tried it personally. I'm using radutmp
with Alan DeKoK's NAS-Port-username-hash-turned-into-an-integer hack.

For reference, that's how it's done:

        if (NAS-Port == 0) {
                update request {
                        Tmp-Octets-0 := "%{md5:%{User-Name}}"
                }

                update request {
                        NAS-Port := "%{unpack:&Tmp-Octets-0 1 integer}"
                }
        }

In all relevant sections.

A thing to keep in mind: When used in outer connections, the username is
controlled by the authenticating user (i.e., the outer identity, anonymous etc)
and thus the NAS-Port value should not be trusted, as it is also controlled by
the user.  (I.e., a user could erase all entries in the radutmp by causing many
collisions)

Probably better to just use the sql module :-)

> 2. By any chance do we know if Unifi switches or Ubnt Edgeswitches
> correctly set a unique NAS-Port value ? A positive answer would help to
> convince
> Ubnt to change current behaviour.

My "largest" setup consists of 3 Unifi AP AC Pro access points. I am not using
any other ubiquiti equipment so far, so I cannot say. Probably other people on
this list can answer this, though.

Cheers,
 HC