Alan DeKok wrote:
You should be able to do:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`
along with the "use_tunneled_reply". The "users" file entry replies with the User-Name *only* inside the tunnel, so you can be sure that no User-Name exists outside of the tunnel.
This works for me (and with the included patch):
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = Yes
s5 User-Password == "xxx"
================================================= Cisco AP-1230B firmware 12.2(13)JA1 has a bug. It wants a NULL terminted attribute User-Name :-/. However it is sending the same attribute as non-NULL terminated. See logs:
bug log: --------------------------- Sending Access-Accept of id 104 to xxxx... User-Name = "s5" [...] rad_recv: Accounting-Request packet from host xxxx... Acct-Session-Id = "00000182" [...] User-Name = "s5o" [...]
The 'o' comes becouse Cisco just copies "s5" over "anonymous" and it terminates one less character than it should.
I've created a patch with a workaround. So those who are bitten by this can patch radius and enable: eap { [...] ttls { [...] cisco_accounting_username_bug = yes } } This option will only work if "use_tunneled_reply" is enabled.
workaround enabled log: ----------------------- Sending Access-Accept of id 254 to xxxx.... User-Name = "s5" [...] rad_recv: Accounting-Request packet from host xxxx.... Acct-Session-Id = "000001A4" [...] User-Name = "s5" [...]
=================================================
Since Thunderbird line-wraps I've also attached the patch. It was made against CVS from 20040216.
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2003-12-07 01:25:43.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2004-02-26 10:30:11.000000000 +0100
@@ -31,6 +31,7 @@
int default_eap_type;
int copy_request_to_tunnel;
int use_tunneled_reply;
+ int cisco_accounting_username_bug;
} ttls_tunnel_t;
/*
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2003-12-07 01:25:44.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2004-02-26 10:39:02.000000000 +0100
@@ -38,6 +38,13 @@
int use_tunneled_reply;
/* + * Add one more character to the User-Name attribute returned + * in Access-Accept. Cisco AP1230 has a bug and needs zero + * terminated string in Access-Accept. + */ + int cisco_accounting_username_bug; + + /* * Use SOME of the request attributes from outside of the * tunneled session in the tunneled request */ @@ -54,6 +61,9 @@
{ "use_tunneled_reply", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
+
+ { "cisco_accounting_username_bug", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_ttls_t, cisco_accounting_username_bug), NULL, "no" },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
@@ -159,6 +169,7 @@
t->default_eap_type = inst->default_eap_type;
t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
t->use_tunneled_reply = inst->use_tunneled_reply;
+ t->cisco_accounting_username_bug = inst->cisco_accounting_username_bug;
return t;
}
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-01-07 18:55:12.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-02-26 11:14:06.000000000 +0100
@@ -618,6 +618,19 @@
if (t->use_tunneled_reply) {
pairadd(&request->reply->vps, reply->vps);
reply->vps = NULL;
+
+ /*
+ * Cisco needs a null terminated string, make '\0' a part of
+ * the User-Name by increasing the attribute length by 1.
+ */
+ if (t->cisco_accounting_username_bug) {
+ VALUE_PAIR *tmp;
+ for(tmp = request->reply->vps; tmp; tmp = tmp->next) {
+ if (PW_USER_NAME == tmp->attribute) {
+ tmp->length++;
+ }
+ }
+ }
}
}
-- Lep pozdrav, Rok Papez.
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h --- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2003-12-07 01:25:43.000000000 +0100 +++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2004-02-26 10:30:11.000000000 +0100 @@ -31,6 +31,7 @@ int default_eap_type; int copy_request_to_tunnel; int use_tunneled_reply; + int cisco_accounting_username_bug; } ttls_tunnel_t;
/* diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c --- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2003-12-07 01:25:44.000000000 +0100 +++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2004-02-26 10:39:02.000000000 +0100 @@ -38,6 +38,13 @@ int use_tunneled_reply; /* + * Add one more character to the User-Name attribute returned + * in Access-Accept. Cisco AP1230 has a bug and needs zero + * terminated string in Access-Accept. + */ + int cisco_accounting_username_bug; + + /* * Use SOME of the request attributes from outside of the * tunneled session in the tunneled request */ @@ -54,6 +61,9 @@ { "use_tunneled_reply", PW_TYPE_BOOLEAN, offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" }, + + { "cisco_accounting_username_bug", PW_TYPE_BOOLEAN, + offsetof(rlm_eap_ttls_t, cisco_accounting_username_bug), NULL, "no" }, { NULL, -1, 0, NULL, NULL } /* end the list */ }; @@ -159,6 +169,7 @@ t->default_eap_type = inst->default_eap_type; t->copy_request_to_tunnel = inst->copy_request_to_tunnel; t->use_tunneled_reply = inst->use_tunneled_reply; + t->cisco_accounting_username_bug = inst->cisco_accounting_username_bug; return t; } diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c --- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-01-07 18:55:12.000000000 +0100 +++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-02-26 11:14:06.000000000 +0100 @@ -618,6 +618,19 @@ if (t->use_tunneled_reply) { pairadd(&request->reply->vps, reply->vps); reply->vps = NULL; + + /* + * Cisco needs a null terminated string, make '\0' a part of + * the User-Name by increasing the attribute length by 1. + */ + if (t->cisco_accounting_username_bug) { + VALUE_PAIR *tmp; + for(tmp = request->reply->vps; tmp; tmp = tmp->next) { + if (PW_USER_NAME == tmp->attribute) { + tmp->length++; + } + } + } } }