Alan DeKok wrote:
You should be able to do:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`
along with the "use_tunneled_reply". The "users" file entry replies with the User-Name *only* inside the tunnel, so you can be sure that no User-Name exists outside of the tunnel.
This works for me (and with the included patch):
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = Yess5 User-Password == "xxx"
================================================= Cisco AP-1230B firmware 12.2(13)JA1 has a bug. It wants a NULL terminted attribute User-Name :-/. However it is sending the same attribute as non-NULL terminated. See logs:
bug log:
---------------------------
Sending Access-Accept of id 104 to xxxx...
User-Name = "s5"
[...]
rad_recv: Accounting-Request packet from host xxxx...
Acct-Session-Id = "00000182"
[...]
User-Name = "s5o"
[...]The 'o' comes becouse Cisco just copies "s5" over "anonymous" and it terminates one less character than it should.
I've created a patch with a workaround. So those who are bitten by this
can patch radius and enable:
eap {
[...]
ttls {
[...]
cisco_accounting_username_bug = yes
}
}
This option will only work if "use_tunneled_reply" is enabled.workaround enabled log:
-----------------------
Sending Access-Accept of id 254 to xxxx....
User-Name = "s5"
[...]
rad_recv: Accounting-Request packet from host xxxx....
Acct-Session-Id = "000001A4"
[...]
User-Name = "s5"
[...]=================================================
Since Thunderbird line-wraps I've also attached the patch. It was made against CVS from 20040216.
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2003-12-07 01:25:43.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2004-02-26 10:30:11.000000000 +0100
@@ -31,6 +31,7 @@
int default_eap_type;
int copy_request_to_tunnel;
int use_tunneled_reply;
+ int cisco_accounting_username_bug;
} ttls_tunnel_t;
/*
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2003-12-07 01:25:44.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2004-02-26 10:39:02.000000000 +0100
@@ -38,6 +38,13 @@
int use_tunneled_reply;
/*
+ * Add one more character to the User-Name attribute returned
+ * in Access-Accept. Cisco AP1230 has a bug and needs zero
+ * terminated string in Access-Accept.
+ */
+ int cisco_accounting_username_bug;
+
+ /*
* Use SOME of the request attributes from outside of the
* tunneled session in the tunneled request
*/
@@ -54,6 +61,9 @@{ "use_tunneled_reply", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
+
+ { "cisco_accounting_username_bug", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_ttls_t, cisco_accounting_username_bug), NULL, "no" },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
@@ -159,6 +169,7 @@
t->default_eap_type = inst->default_eap_type;
t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
t->use_tunneled_reply = inst->use_tunneled_reply;
+ t->cisco_accounting_username_bug = inst->cisco_accounting_username_bug;
return t;
}
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-01-07 18:55:12.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-02-26 11:14:06.000000000 +0100
@@ -618,6 +618,19 @@
if (t->use_tunneled_reply) {
pairadd(&request->reply->vps, reply->vps);
reply->vps = NULL;
+
+ /*
+ * Cisco needs a null terminated string, make '\0' a part of
+ * the User-Name by increasing the attribute length by 1.
+ */
+ if (t->cisco_accounting_username_bug) {
+ VALUE_PAIR *tmp;
+ for(tmp = request->reply->vps; tmp; tmp = tmp->next) {
+ if (PW_USER_NAME == tmp->attribute) {
+ tmp->length++;
+ }
+ }
+ }
}
}
-- Lep pozdrav, Rok Papez.
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2003-12-07
01:25:43.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/eap_ttls.h 2004-02-26
10:30:11.000000000 +0100
@@ -31,6 +31,7 @@
int default_eap_type;
int copy_request_to_tunnel;
int use_tunneled_reply;
+ int cisco_accounting_username_bug;
} ttls_tunnel_t;
/*
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c
2003-12-07 01:25:44.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/rlm_eap_ttls.c 2004-02-26
10:39:02.000000000 +0100
@@ -38,6 +38,13 @@
int use_tunneled_reply;
/*
+ * Add one more character to the User-Name attribute returned
+ * in Access-Accept. Cisco AP1230 has a bug and needs zero
+ * terminated string in Access-Accept.
+ */
+ int cisco_accounting_username_bug;
+
+ /*
* Use SOME of the request attributes from outside of the
* tunneled session in the tunneled request
*/
@@ -54,6 +61,9 @@
{ "use_tunneled_reply", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_ttls_t, use_tunneled_reply), NULL, "no" },
+
+ { "cisco_accounting_username_bug", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_ttls_t, cisco_accounting_username_bug), NULL, "no" },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
@@ -159,6 +169,7 @@
t->default_eap_type = inst->default_eap_type;
t->copy_request_to_tunnel = inst->copy_request_to_tunnel;
t->use_tunneled_reply = inst->use_tunneled_reply;
+ t->cisco_accounting_username_bug = inst->cisco_accounting_username_bug;
return t;
}
diff -ur radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
--- radiusd-20040216/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-01-07
18:55:12.000000000 +0100
+++ radiusd/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c 2004-02-26
11:14:06.000000000 +0100
@@ -618,6 +618,19 @@
if (t->use_tunneled_reply) {
pairadd(&request->reply->vps, reply->vps);
reply->vps = NULL;
+
+ /*
+ * Cisco needs a null terminated string, make '\0' a
part of
+ * the User-Name by increasing the attribute length by
1.
+ */
+ if (t->cisco_accounting_username_bug) {
+ VALUE_PAIR *tmp;
+ for(tmp = request->reply->vps; tmp; tmp =
tmp->next) {
+ if (PW_USER_NAME == tmp->attribute) {
+ tmp->length++;
+ }
+ }
+ }
}
}
