Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user
James T. Mugauri wrote: I have managed to auth a Greenpacket WiMAX MS via an eap ttls tunnel. Thanks to Alan's direction earlier, I can also send the service flow definitions correctly. That's good. I have now found that subsequent db writes (and logging) associated with accounting and postauth functions are the encrypted values (available in the tunnel?). Is there a way to ensure that the plaintext values are used with all subsequent logging actions? Use a DB. On Access-Accept, store the unencrypted User-Name in the DB, along with a Class attribute. When you receive an accounting packet, look up the Class attribute to find the unencrypted User-Name. That's pretty much the only way with WiMAX. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user
On 10/26/2011 02:49 PM, freeradius-users-requ...@lists.freeradius.org
wrote:
On Access-Accept, store the unencrypted User-Name in the DB, along
with a Class attribute. When you receive an accounting packet, look up
the Class attribute to find the unencrypted User-Name.
Thanks
I notice when running in debug mode, I have:
[ttls] Got tunneled request
User-Name = testairs...@iconnect.zm
User-Password = airspan
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = testairs...@iconnect.zm
User-Password = airspan
FreeRADIUS-Proxied-To = 127.0.0.1
Calling-Station-Id = 00-1f-fb-20-7b-0e
Service-Type = Framed-User
NAS-Port-Type = Wireless-802.16
WiMAX-Release = 1.0
...
...
...
[sql] expand: %{User-Name} - testairs...@iconnect.zm
[sql] sql_set_user escaped user -- 'testairs...@iconnect.zm'
The user is then correctly authenticated and receives the relevant
parameters
What attribute contains the unencrypted username, and at which stage of
the inner-tunnel session can I retrieve it?
That's pretty much the only way with WiMAX.
Alan DeKok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unencrypted username in radacct/radpostauth for ttls tunnel authenticated user
James T. Mugauri wrote: On 10/26/2011 02:49 PM, freeradius-users-requ...@lists.freeradius.org wrote: On Access-Accept, store the unencrypted User-Name in the DB, along with a Class attribute. When you receive an accounting packet, look up the Class attribute to find the unencrypted User-Name. Thanks I don't see why. I notice when running in debug mode, I have: [ttls] Got tunneled request User-Name = testairs...@iconnect.zm Which is an unencrypted User-Name. What attribute contains the unencrypted username, and at which stage of the inner-tunnel session can I retrieve it? (a) read my response (b) read the debug output. I fail to understand why this is difficult. I answered your question. The debug log answers your question. And you're still asking questions. Maybe you're looking for an answer to a question you didn't ask. But unless I'm completely incompetent at reading English, I answered your question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
