RES: RES: Incorrect username being registered by freeradius
Daniel Guimaraes Pena
daniel.pena at mpdft.mp.br
Tue Jun 23 18:47:53 CEST 2020
I understang...
Well, I thought something for these two problems, but before try to implement them, I would like your opinion, if possible:
FIRST: for the problem of outer username being different from inner-tunnel.
Is it possible do something like this?
IF inner-tunnel-username <> outer-username
Set outer-username equal to innet-tunnel-username
Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?
SECOND: for the problema of mac address being registered at radacct table:
I will try to create some check at username for account packets like this:
IF username is equal to calling-station-id(in lowercase and without "-")
Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)
Thanks!! I hope you don’t get angry with me for doing this mass =P
-----Mensagem original-----
De: Freeradius-Users <freeradius-users-bounces+daniel.pena=mpdft.mp.br at lists.freeradius.org> Em nome de Alan DeKok
Enviada em: terça-feira, 23 de junho de 2020 12:47
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Assunto: Re: RES: Incorrect username being registered by freeradius
On Jun 23, 2020, at 11:34 AM, Daniel Guimaraes Pena <daniel.pena at mpdft.mp.br> wrote:
>
> Thanks for anwaring, Alan, you were right: that is his MAC Address.
Good.
> Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet.
> For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?
Because the NAS sends accounting packets which contain the MAC address in the User-Name field. And, it sends authentication packets which contain the real name in the User-Name field.
FreeRADIUS does NOT control this. It's at the mercy of whatever the NAS sends.
> Reading debug, real login is "luciana.nogueira"
> Here the debug log for this entry:
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07
> =~=~=~=~=~=~=~=~=~=~=~= grep -E "\(4925[7-9]\)|\(4926[0-7]\)"
> debug.log
> (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151
> (49257) User-Name = "347117"
> (49257) NAS-IP-Address = 10.34.15.221
> (49257) NAS-Port = 2
> (49257) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
> (49257) Calling-Station-Id = "48-49-C7-71-79-66"
> (49257) Framed-MTU = 1400
> (49257) NAS-Port-Type = Wireless-802.11
> (49257) Connect-Info = "CONNECT 54Mbps 802.11g"
> (49257) EAP-Message = 0x0200000b01333437313137
The end-user machine is creating that EAP-Message. Which contains "34717" as the name. i.e. hex 333437313137 is "34717"
In order to fix that, you need to fix the end users machine to send a real name. There is nothing you can do to the NAS or FreeRADIUS to fix this issue.
Generally, the outer user name should be something like "@example.com", or "anonymous".
The inner-tunnel is receiving the name "luciana.nogueira", which is fine.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list