Re: Capturing the inner authentication ID for Radius

Tue, 31 Jan 2006 10:08:45 -0800 

>"CHui" <[EMAIL PROTECTED]> wrote:
>> Although it seems to work for me, I am not sure about the use of
attribute
>> Class for tracking user ID would interfere with other operation (like the
> one attribute Class was originally designed for)?  
>
>  It was designed for local sites to do whatever they wanted.  So you're
doing the right thing.
>
>> Also, the attribute Class is of type Octet.  Does anyone know of a way to
>> convert it to text in SQL?
>
>  Edit the dictionary, and change "octets" to "string".
>
>  Alan DeKok.

Never thought of simply changing the attribute type in the dictionary file.
Works great. Thanks.

I use the "use_tunneled_reply = yes" in eap.conf to capture the user name
inside of the tunnel.  I have observed that the Class attribute now
contained both the outer identity and the user name from inside the tunnel.

>From the debug output:

Sending Access-Accept of id 170 to 198.128.24.10:1645
        Class = "SomeoneElse"
        Cisco-AVPair = "ssid=CiscoTestAP"
        Session-Timeout = 60
        Class = "chui.guest"
        MS-MPPE-Recv-Key = 0x...
        MS-MPPE-Send-Key = 0x...
        EAP-Message = 0x03070004
        Message-Authenticator = 0x...
        User-Name = "SomeoneElse"
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Accounting-Request packet from host 198.128.24.10:1646, id=112,
length=262
        Acct-Session-Id = "0600000000000204"
        Called-Station-Id = "0014.a800.44c0"
        Calling-Station-Id = "0002.2d27.05e2"
        Cisco-AVPair = "ssid= CiscoTestAP"
        Cisco-AVPair = "vlan-id=0"
        Cisco-AVPair = "nas-location=unspecified"
        User-Name = "SomeoneElse"
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Authentic = RADIUS
        Acct-Status-Type = Start
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "708"
        NAS-Port = 708
        Class = "SomeoneElse"
        Class = "chui.guest"
        Service-Type = Framed-User
        NAS-IP-Address = 198.128.24.10
        Acct-Delay-Time = 0

In the users file, I have the default entry as follows:

        DEFAULT
                Class = "{User-Name}",
                Fall-Through = No


What should I do to get the Tunnel user name only instead of both send as
reply attribute "Class"?

Thanks
Cedric

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to