Re: how to do accounting with the inner identity

2011-01-24 Thread Eric Doutreleau 

Alan and alexander thanks for your answer.
I will investigate furthermore about the respect of the RFC2865 from my NAS

Le 24/01/2011 14:21, Alexander Clouter a écrit :

Eric Doutreleau  wrote:


I m trying to use freeradius 2.1.10 and to make authenticate my users
with eap-ttls process and a ldap server for the backend

All is running fine but i can't succeed to have the accounting done with
the inned identity of the ttls tunnel.


It all looks fine at your end, as you pass the 'new' User-Name in the
Access-Accept back to your NAS.  RFC2865 says your NAS *should* then
mark the Accounting packets appropriately with the new User-Name, this is
*not* a must though and optional

http://tools.ietf.org/html/rfc2865#section-5.1


I can see the Username "updated" in the the following debug log but in
the accounting it s the outer identity that is used.
Does someone know what i can do to make the accounting with the inner
identity

[snipped: freeradius -X]


Your debug does not show *any* accounting traffic being sent to
FreeRADIUS (none that I could see) after your Access-Accept.  If your
NAS does not send the new User-Name attribute in the Accounting Request,
then I recommend you wave the RFC2865 link I gave above at your vendor.

Cheers


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to do accounting with the inner identity

2011-01-24 Thread Alexander Clouter 
Eric Doutreleau  wrote:
> 
> I m trying to use freeradius 2.1.10 and to make authenticate my users 
> with eap-ttls process and a ldap server for the backend
> 
> All is running fine but i can't succeed to have the accounting done with 
> the inned identity of the ttls tunnel.
> 
It all looks fine at your end, as you pass the 'new' User-Name in the 
Access-Accept back to your NAS.  RFC2865 says your NAS *should* then 
mark the Accounting packets appropriately with the new User-Name, this is 
*not* a must though and optional

http://tools.ietf.org/html/rfc2865#section-5.1

> I can see the Username "updated" in the the following debug log but in 
> the accounting it s the outer identity that is used.
> Does someone know what i can do to make the accounting with the inner 
> identity
>
> [snipped: freeradius -X]
>
Your debug does not show *any* accounting traffic being sent to 
FreeRADIUS (none that I could see) after your Access-Accept.  If your 
NAS does not send the new User-Name attribute in the Accounting Request, 
then I recommend you wave the RFC2865 link I gave above at your vendor.

Cheers

-- 
Alexander Clouter
.sigmonster says: My weight is perfect for my height -- which varies.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to do accounting with the inner identity

2011-01-24 Thread Alan DeKok 
Eric Doutreleau wrote:
> All is running fine but i can't succeed to have the accounting done with
> the inned identity of the ttls tunnel.

  Blame the NAS.  :(

> I can see the Username "updated" in the the following debug log but in
> the accounting it s the outer identity that is used.
> Does someone know what i can do to make the accounting with the inner
> identity

  Use a NAS that follows the RFCs.

  Or, use a DB to store the session information (Calling-Station-ID,
etc.), along with the real User-Name.  When the accounting request comes
in, look up that data in order to re-write the User-Name.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to do accounting with the inner identity

2011-01-24 Thread Eric Doutreleau 

Hi

I m trying to use freeradius 2.1.10 and to make authenticate my users 
with eap-ttls process and a ldap server for the backend


All is running fine but i can't succeed to have the accounting done with 
the inned identity of the ttls tunnel.


the outer identity is anonym...@it-sudparis.eu
the inner identidy is doutrele.

here is my config

in the eap.conf file i have for the ttls section

copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"

in the inner-tunnel file i have

post-auth {

update outer.reply {
User-Name := "%{Stripped-User-Name}"
}

I can see the Username "updated" in the the following debug log but in 
the accounting it s the outer identity that is used.
Does someone know what i can do to make the accounting with the inner 
identity


rad_recv: Access-Request packet from host 157.159.21.152 port 38145, 
id=0, length=156

User-Name = "anonym...@it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 
0x021d01616e6f6e796d6f75734069742d73756470617269732e6575
Message-Authenticator = 0xc12e191df8f2ef431f22b16557a03c7b
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy rewrite_calling_station_id {...}
+++? if (request:Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)
? Evaluating (request:Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
-> TRUE
+++? if (request:Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
-> TRUE
+++- entering if (request:Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
{...}

expand: %{1}%{2}%{3}%{4}%{5}%{6} -> 0201
[request] returns ok
+++- if (request:Calling-Station-Id =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
returns ok

+++ ... skipping else for request 0: Preceding "if" was taken
++- policy rewrite_calling_station_id returns ok
++? if (User-Name =~ /^%{Calling-Station-ID}$/i)
expand: ^%{Calling-Station-ID}$ -> ^0201$
? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) -> FALSE
++? if (User-Name =~ /^%{Calling-Station-ID}$/i) -> FALSE
[auth_log] 	expand: 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> 
/var/log/radius/radacct/157.159.21.152/auth-detail-20110124
[auth_log] 
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands 
to /var/log/radius/radacct/157.159.21.152/auth-detail-20110124

[auth_log]  expand: %t -> Mon Jan 24 13:32:42 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "it-sudparis.eu" for User-Name = 
"anonym...@it-sudparis.eu"

[suffix] Found realm "it-sudparis.eu"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "it-sudparis.eu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 0 length 29
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 8
[files] users: Matched entry DEFAULT at line 14
++[files] returns ok
++? if (NAS-Identifier == "Chillispot" )
(Attribute NAS-Identifier was not found)
? Evaluating (NAS-Identifier == "Chillispot" ) -> FALSE
++? if (NAS-Identifier == "Chillispot" ) -> FALSE
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 157.159.21.152 port 38145
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:1 = "invites"
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0xedc31135edc208ab4c1716af0bfa702b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 157.159.21.152 port 38145, 
id=1, length=151

User-Name = "anonym...@it-sudparis.eu"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT