(RADIATOR) TTLS Accounting Problem

Sevcik Berndt berndt.sevcik at tgm.ac.at
Tue Jan 6 08:52:10 CST 2004


I use TTLS for authentication. In the SQL database the User is always shown
as anonymous. I found out that the problem can be solved with the following
lines in the configuration (goodies/eap_ttls.cfg):
	PreProcessingHook file:"goodies/eap_anon_hook.pl"
	PostAuthHook file:"goodies/eap_anon_hook.pl"

There these lines are in the Handler clause. When you look at my
configuration I use one Handler four both PEAP and TTLS configuration. But
PEAP works without this patch. How can I only apply this patch to TTLS
Accounting?

AuthPort 1645
AcctPort 1646

<Client DEFAULT>
        Secret  XXX
        DupInterval 0
</Client>

<ClientListSQL>
        DBSource        dbi:mysql:radius
        DBUsername      XXX
        DBAuth          XXX
</ClientListSQL>

<AuthBy SQL>
    Identifier SQLAccounting
    AuthSelect
    DBSource    dbi:mysql:radius
    DBUsername  XXX
    DBAuth      XXX
    AccountingTable     ACCOUNTING
    AcctColumnDef       USERNAME,User-Name
    AcctColumnDef       TIME_STAMP,Timestamp,integer
    AcctColumnDef       ACCTSTATUSTYPE,Acct-Status-Type
    AcctColumnDef       ACCTDELAYTIME,Acct-Delay-Time,integer
    AcctColumnDef       ACCTINPUTOCTETS,Acct-Input-Octets,integer
    AcctColumnDef       ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
    AcctColumnDef       ACCTSESSIONID,Acct-Session-Id
    AcctColumnDef       ACCTSESSIONTIME,Acct-Session-Time,integer
    AcctColumnDef       ACCTTERMINATECAUSE,Acct-Terminate-Cause
    AcctColumnDef       NASIDENTIFIER,NAS-Identifier
    AcctColumnDef       NASPORT,NAS-Port,integer
    AcctColumnDef       FRAMEDIPADDRESS,Framed-IP-Address

    #AcctFailedLogFileName %D/missedaccounting
</AuthBy>

<AuthBy FILE>
    Identifier OUTERAuthentication
    Filename %D/users
    EAPType PEAP,TTLS
    EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
    EAPTLS_CertificateFile %D/certificates/cert-srv.pem
    EAPTLS_CertificateType PEM
    EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
    EAPTLS_PrivateKeyPassword whatever
    EAPTLS_MaxFragmentSize 1000
    #EAPTLS_DHFile %D/certificates/cert/dh
    #EAPTLS_CRLCheck
    #EAPTLS_CRLFile %D/certificates/crl.pem
    #EAPTLS_CRLFile %D/certificates/revocations.pem
    AutoMPPEKeys
    SSLeayTrace 4
</AuthBy>

<Handler TunnelledByPEAP=1>
    RewriteUsername s/(.*)\\(.*)/$2/
    <AuthBy LDAP2>
        Identifier      LDAPPEAPAuthentication
        RcryptKey       whatever
        Host            10.2.4.21
        AuthDN          XXXXXXXXXXX
        AuthPassword    XXXXXXXXX
        BaseDN          XXXX
        UsernameAttr    uid
        PasswordAttr    profilePath
        AuthAttrDef     radiusAuthType,GENERIC,check

        # You can enable debugging of the Net::LDAP
        # module with this:
        # Debug 255

        EAPType MSCHAP-V2
    </AuthBy>
</Handler>

<Handler TunnelledByTTLS=1>
    RewriteUsername s/(.*)\\(.*)/$2/
    <AuthBy LDAP2>
        Identifier      LDAPTTLSAuthentication
        RcryptKey       whatever
        Host            10.2.4.21
        AuthDN          XXXX
        AuthPassword    XXXX
        BaseDN          XXXX
        UsernameAttr    uid
        PasswordAttr    scriptPath
        # AuthAttrDef   radiusAuthType,GENERIC,check

        # You can enable debugging of the Net::LDAP
        # module with this:
        # Debug 255

        # EAPType MSCHAP-V2
    </AuthBy>
</Handler>


<Handler Request-Type = Accounting-Request>
    AuthBy SQLAccounting
</Handler>

<Handler>
    # AuthByPolicy ContinueWhileReject
    AuthBy OUTERAuthentication
    # AuthBy PEAPAuthentication
</Handler>

Thanks
Berndt

-----------------------------------------
TGM - Die Schule der Technik
IT-Service
A-1200 Wien, Wexstr. 19-23
Tel. +43(1)33126/316 Fax: +43(1)33126/154
E-Mail: berndt.sevcik at tgm.ac.at
-----------------------------------------
 


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list