(RADIATOR) Odyssey client and Radiator

Mike McCauley mikem at open.com.au
Wed Mar 12 23:05:21 CST 2003 

Hi Steve and all,

Steve reported an issue with Funk Odyssey EAP-TTLS. The issue is that by 
default the Access Point sends accounting requests with a User-Name of 
'anonymous', rather than the real user name (ie the name that was 
authenticated in the inner TTLS authentication for the connection).

Its probably undestandable that the client and AP work this way: it protects 
the real user name from sniffing. However, it makes it hard to do real 
accounting for a users wireless usage.

We have now uploaded an example Radiator hook file that caches the real user 
name in a SQL table after authentication, and then does a lookaside during 
accounting, replacing 'anonymous' with the real user name. Therefore your 
accounting detail files or SQL will reflect the correct user name.

The patch is in the Radiator 3.5 patches area 
There are 3 files:

- eap_anon_hook.pl The hook code that is used as both a PreProcessingHook and 
as a PostAuthHook.
- eap_ttls.cfg modified version of eap_ttls.cfg that shows how to use the hook
- mysqlCreate.sql contains an example table suitable for use with mysql.

Tested with Odyssey TTLS and Cisco 340 APs.

Feedback etc direct to me please.

Cheers.



On Fri, 7 Mar 2003 12:17 am, Steve Caporossi wrote:
> Just in case this gets sent/bounced to the mailing list...let's use this
> config...IP Addresses have been changed.
>
>
> Yes, I am interested...any assistance you can provide will be
> appreciated.  I have no programming experience and have been trying to
> muddle my way through this...Needless to say, I have been unsuccessful
> to this point.  Attached is a copy of my config.  What else would you
> need/like from me?
>
> I would also like to say, You guys rule!  I have never had this level of
>    customer service from anyone.  Your product is rock solid and the
> support is outstanding.
>
> Steve
>
> Mike McCauley wrote:
>  > Hello Steve,
>  >
>  > thanks for raising this with us.
>  >
>  > I can think of a way of configuring Radiator to do this.
>  >
>  > It would involve a hook that runs when the TTLS inner authentication
>
> is done,
>
>  > and which enters the real User-Name, Acct-Session-Id, NAS-IP-Address,
>  > NAS-Port etc into a 'last authentication' table. Then when the
>
> accounting
>
>  > data is inserted, the insert query can do a lookaside to get the real
>  > username from 'last authentication' table.
>  >
>  > Are you interested in pursuing this? Can we be of assistance?
>  >
>  > Cheers.
>  >
>  >>>----------  Forwarded Message  ----------
>  >>>
>  >>>Subject: Re: Fwd: (RADIATOR) Odyssey client and Radiator - Question
>  >>>Date: Tue, 04 Mar 2003 08:30:17 -0500
>  >>>From: Steve Caporossi <capoross at musc.edu>
>  >>>To: Mike McCauley <mikem at open.com.au>
>  >>>Cc: Hugh Irvine <hugh at open.com.au>, radiator at open.com.au
>  >>>
>  >>>It seems to me that the accounting is useless if everything appears to
>  >>>come from "anonymous".  Is there a way to configure radiator so it
>  >>>records the actual username that authenticated?  Funk says this will be
>  >>>possible in the new release of their radius server and suggests I buy
>  >>>it...not acceptable to us.
>  >>>
>  >>>
>  >>>
>  >>>Thanks, Steve
>  >>>
>  >>>Mike McCauley wrote:
>  >>>>Hello Steve,
>  >>>>
>  >>>>>Begin forwarded message:
>  >>>>>>From: Steve Caporossi <capoross at musc.edu>
>  >>>>>>Date: Tue Mar 4, 2003  00:38:57 Australia/Melbourne
>  >>>>>>To: radiator at open.com.au
>  >>>>>>Subject: (RADIATOR) Odyssey client and Radiator - Question
>  >>>>>>
>  >>>>>>We are evaluating the Odyssey client for authenticating our wireless
>  >>>>>>users via TTLS.  I noticed that unless a user sets their username
>  >>>>>>under the TTLS settings tab, "anonymous" is recorded in the logs.
>  >>>>>>Is
>  >>>>>>anyone else using this client and, have you come up with a
>  >>>>>>workaround
>  >>>>>>for this behavior?
>  >>>>
>  >>>>This is the normal and expected behaviour for TTLS. They put
>  >>>>anonymous by
>  >>>>default in the outer request so that the 'real' user name is not
>  >>>>available
>  >>>>for sniffing.
>  >>>>
>  >>>>The downside is that the Radius requests all appear to be from
>  >>>>'anonymous'.
>  >>>>
>  >>>>You can change this behaviour in the Odyssey client by editing the
>  >>>>Profile/TTLS Setting page, and changing the 'Anonymous name:' field.
>  >>>>
>  >>>>Hope that helps.
>  >>>>
>  >>>>Cheers.
>  >>>>
>  >>>>>>Thanks,
>  >>>>>>--
>  >>>>>>Steve Caporossi
>  >>>>>>Network Systems Engineer
>  >>>>>>Center for Computing and Information Technology
>  >>>>>>Medical University of South Carolina
>  >>>>>>843.876.5083
>  >>>>>>
>  >>>>>>
>  >>>>>>===
>  >>>>>>Archive at http://www.open.com.au/archives/radiator/
>  >>>>>>Announcements on radiator-announce at open.com.au
>  >>>>>>To unsubscribe, email 'majordomo at open.com.au' with
>  >>>>>>'unsubscribe radiator' in the body of the message.
>  >>>>>
>  >>>>>NB: have you included a copy of your configuration file (no secrets),
>  >>>>>together with a trace 4 debug showing what is happening?
>  >>>
>  >>>--
>  >>>Steve Caporossi
>  >>>Network Systems Engineer
>  >>>Center for Computing and Information Technology
>  >>>Medical University of South Carolina
>  >>>843.876.5083
>  >>>
>  >>>-------------------------------------------------------
>  >>>
>  >>>--
>  >>>Mike McCauley                               mikem at open.com.au
>  >>>Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
>  >>>24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
>  >>>Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
>  >>>
>  >>>Radiator: the most portable, flexible and configurable RADIUS server
>  >>>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>  >>>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>  >>>TTLS, PEAP etc on Unix, Windows, MacOS etc.
>  >>
>  >>NB: have you included a copy of your configuration file (no secrets),
>  >>together with a trace 4 debug showing what is happening?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985                       Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list