(RADIATOR) TTLS Accounting Problem
Hugh Irvine
hugh at open.com.au
Tue Jan 6 18:07:26 CST 2004
Hello Berndt -
There are a couple of ways of doing this, with the simplest being not
changing anything. If you don't change anything, things will still work
correctly - there will just be an additional SQL database lookup.
Alternatively you can add a line to the hook so that it only changes
the username of "anonymous" for accounting.
You can add something like this to the hook (and test it of course).
else
{
if (${$p}->code() eq 'Accounting-Request' )
{
# only change the User-Name if it is 'anonymous'
my $user = ${$p}->getUserName;
return unless $user eq 'anonymous';
.....
A third option is to use the Class attribute and add a Handler for
accounting for TTLS only. You will need to do some tests with your
equipment to see whether or not the Class attribute is returned in the
accounting requests.
regards
Hugh
On 07/01/2004, at 1:52 AM, Sevcik Berndt wrote:
> I use TTLS for authentication. In the SQL database the User is always
> shown
> as anonymous. I found out that the problem can be solved with the
> following
> lines in the configuration (goodies/eap_ttls.cfg):
> PreProcessingHook file:"goodies/eap_anon_hook.pl"
> PostAuthHook file:"goodies/eap_anon_hook.pl"
>
> There these lines are in the Handler clause. When you look at my
> configuration I use one Handler four both PEAP and TTLS configuration.
> But
> PEAP works without this patch. How can I only apply this patch to TTLS
> Accounting?
>
> AuthPort 1645
> AcctPort 1646
>
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> <ClientListSQL>
> DBSource dbi:mysql:radius
> DBUsername root
> DBAuth letmein
> </ClientListSQL>
>
> <AuthBy SQL>
> Identifier SQLAccounting
> AuthSelect
> DBSource dbi:mysql:radius
> DBUsername root
> DBAuth letmein
> AccountingTable ACCOUNTING
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
> #AcctFailedLogFileName %D/missedaccounting
> </AuthBy>
>
> <AuthBy FILE>
> Identifier OUTERAuthentication
> Filename %D/users
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> #EAPTLS_DHFile %D/certificates/cert/dh
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
>
> <Handler TunnelledByPEAP=1>
> RewriteUsername s/(.*)\\(.*)/$2/
> <AuthBy LDAP2>
> Identifier LDAPPEAPAuthentication
> RcryptKey whatever
> Host 10.2.4.21
> AuthDN cn=admin, dc=tgm, dc=ac, dc=at
> AuthPassword sUpp.rT
> BaseDN ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> UsernameAttr uid
> PasswordAttr profilePath
> AuthAttrDef radiusAuthType,GENERIC,check
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> # Debug 255
>
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/(.*)\\(.*)/$2/
> <AuthBy LDAP2>
> Identifier LDAPTTLSAuthentication
> RcryptKey whatever
> Host 10.2.4.21
> AuthDN cn=admin, dc=tgm, dc=ac, dc=at
> AuthPassword sUpp.rT
> BaseDN ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> UsernameAttr uid
> PasswordAttr scriptPath
> # AuthAttrDef radiusAuthType,GENERIC,check
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> # Debug 255
>
> # EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
>
>
> <Handler Request-Type = Accounting-Request>
> AuthBy SQLAccounting
> </Handler>
>
> <Handler>
> # AuthByPolicy ContinueWhileReject
> AuthBy OUTERAuthentication
> # AuthBy PEAPAuthentication
> </Handler>
>
> Thanks
> Berndt
>
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list