TTLS/Radius Accounting

Sat, 20 Sep 2003 11:09:15 -0700

Title: TTLS/Radius Accounting

Kudos to the FreeRadius team for their commitment to improving an already solid package!

I have recently implemented TTLS on my test network using the CVS Snapshot from 9/19.  TTLS is enabled along with MySQL.  Connected to the radius is a Colubris CN3000 with 802.1x enabled.   On my XP machine, I'm using the Alfa & Aris TTLS client. 

Outer Authentcation uses 'anonymous', inner uses '[EMAIL PROTECTED]' via pap.  My question is about accounting.  On the radius server, I only have UserID '1xtest' and not 'anonymous'.  radiusd -X -A does show the anonymous auth enabling the tunnel, and it shows that '1xtest' is being sent through it, however what I see in my accounting log is '[EMAIL PROTECTED]' for the UserID.  Further, in my CN3000 I see that the UserID listed under current sessions is also 'anonymous'.  I have enabled the following in radiusd.conf, thinking that it would affect what would be displayed in the radacct table:

                ttls {
                        . . . .
                        #  The tunneled authentication request does
                        #  not usually contain useful attributes
                        #  like 'Calling-Station-Id', etc.  These
                        #  attributes are outside of the tunnel,
                        #  and normally unavailable to the tunneled
                        #  authentication request.
                        #
                        #  By setting this configuration entry to
                        #  'yes', any attribute which NOT in the
                        #  tunneled authentication request, but
                        #  which IS available outside of the tunnel,
                        #  is copied to the tunneled request.
                        #
                        # allowed values: {no, yes}
                        copy_request_to_tunnel = no

                        #  The reply attributes sent to the NAS are
                        #  usually based on the name of the user
                        #  'outside' of the tunnel (usually
                        #  'anonymous').  If you want to send the
                        #  reply attributes based on the user name
                        #  inside of the tunnel, then set this
                        #  configuration entry to 'yes', and the reply
                        #  to the NAS will be taken from the reply to
                        #  the tunneled request.
                        #
                        # allowed values: {no, yes}
                        use_tunneled_reply = yes                       
                          
                }

Is there a way to log the UserID of the Inner auth into accounting? 



Thanks in advance,

  --Phil 

Reply via email to