Re: how to do accounting with the inner identity
Alan and alexander thanks for your answer. I will investigate furthermore about the respect of the RFC2865 from my NAS Le 24/01/2011 14:21, Alexander Clouter a écrit : Eric Doutreleau wrote: I m trying to use freeradius 2.1.10 and to make authenticate my users with eap-ttls process and a ldap server for the backend All is running fine but i can't succeed to have the accounting done with the inned identity of the ttls tunnel. It all looks fine at your end, as you pass the 'new' User-Name in the Access-Accept back to your NAS. RFC2865 says your NAS *should* then mark the Accounting packets appropriately with the new User-Name, this is *not* a must though and optional http://tools.ietf.org/html/rfc2865#section-5.1 I can see the Username "updated" in the the following debug log but in the accounting it s the outer identity that is used. Does someone know what i can do to make the accounting with the inner identity [snipped: freeradius -X] Your debug does not show *any* accounting traffic being sent to FreeRADIUS (none that I could see) after your Access-Accept. If your NAS does not send the new User-Name attribute in the Accounting Request, then I recommend you wave the RFC2865 link I gave above at your vendor. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with the inner identity
Eric Doutreleau wrote: > > I m trying to use freeradius 2.1.10 and to make authenticate my users > with eap-ttls process and a ldap server for the backend > > All is running fine but i can't succeed to have the accounting done with > the inned identity of the ttls tunnel. > It all looks fine at your end, as you pass the 'new' User-Name in the Access-Accept back to your NAS. RFC2865 says your NAS *should* then mark the Accounting packets appropriately with the new User-Name, this is *not* a must though and optional http://tools.ietf.org/html/rfc2865#section-5.1 > I can see the Username "updated" in the the following debug log but in > the accounting it s the outer identity that is used. > Does someone know what i can do to make the accounting with the inner > identity > > [snipped: freeradius -X] > Your debug does not show *any* accounting traffic being sent to FreeRADIUS (none that I could see) after your Access-Accept. If your NAS does not send the new User-Name attribute in the Accounting Request, then I recommend you wave the RFC2865 link I gave above at your vendor. Cheers -- Alexander Clouter .sigmonster says: My weight is perfect for my height -- which varies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with the inner identity
Eric Doutreleau wrote: > All is running fine but i can't succeed to have the accounting done with > the inned identity of the ttls tunnel. Blame the NAS. :( > I can see the Username "updated" in the the following debug log but in > the accounting it s the outer identity that is used. > Does someone know what i can do to make the accounting with the inner > identity Use a NAS that follows the RFCs. Or, use a DB to store the session information (Calling-Station-ID, etc.), along with the real User-Name. When the accounting request comes in, look up that data in order to re-write the User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html