"anonymous" user connected to wireless

Eby Mani eby_km at yahoo.com
Thu Oct 24 11:28:28 UTC 2024 

 Thanks David, I assume Alan is suggesting to adjust as per "https://wiki.freeradius.org/guide/eduroam-logging#recording-the-inner-user-name".

Existing RADIUS server is configured to send User-Group to Network firewall using "sites-enabled/copy-acct-to-home-server" for RSSO based access.

One question, Do we leave the original post-auth { } settings in sites-enabled/inner-tunnel ?. And add as per "recording-the-inner-user-name" on RADIUS server to send User-Group info to home accounting server ?.

***************** original settings *****************
post-auth {
....
update {
&outer.session-state: += &reply:
}
....

Post-Auth-Type REJECT {
....
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
**********************************


Thanks,






     On Thursday 24 October, 2024 at 11:08:48 am IST, David B Funk <dbfunk at engineering.uiowa.edu> wrote:  
 
 On Wed, 23 Oct 2024, Eby Mani via Freeradius-Users wrote:

> User in remote office, only connects wireless in meeting room with customers. User is rarely in office, hence i can't run in debug mode for indefinite period of time.
>
>> I explained why it happens, and what you can do to fix it.
>> > You will need to log the inner User-Name for the authentication session. Or, update the Access-Accept to contain Chargeable-User-Identity. See raddb/policy.d/cui
>
> Above is the only hint you have given. Now, I'm not clear what you meant by "You will need to log the inner User-Name for the authentication session". 
>

Eby,

Do this:
1) get a laptop with WiFi and abilty to boot from a USB stick.
2) Create a bootable USB stick from a Linux distro that you can handle, for 
example Ubuntu, see:
https://ubuntu.com/tutorials/try-ubuntu-before-you-install#1-getting-started
3) boot Linux on the laptop from the USB stick.
4) open the system network configuration menu and activate 802.1x security.
5) select a TLS protected auth mode (EG: Tunneled TLS or Protected EAP) that you 
have working in your AP+Radius infrastructure.
6) Note that in the menu that opens up you have two different places to enter 
identity info, the outer ('Anonymous') id and the inner ID.
set the outer outer ID to some generic name that you can recognise but does not 
correspond to any valid user name on your system.
Set the inner ID to your personal appropriate creds.
7) hit apply and then try a connection.
8) run your Radius server in debug mode and test again, watch for both the 
generic name and your personal ID to show up in the debugging log.

9) you can see that the 'anonymous' ID is in the outer "wrapper" but it's 
actually using your creds to authenticate.

Now adjust your Radius config as Alan has suggested to make your logging sysetm 
record not the outer ID but the inner personal ID.

Have fun,
Dave


-- 
Dave Funk                              University of Iowa
<dbfunk (at) engineering.uiowa.edu>    College of Engineering
319/335-5751  FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin        Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the Freeradius-Users mailing list