(RADIATOR) TTLS Accounting Problem

Hugh Irvine hugh at open.com.au
Tue Jan 6 18:07:26 CST 2004


Hello Berndt -

There are a couple of ways of doing this, with the simplest being not 
changing anything. If you don't change anything, things will still work 
correctly - there will just be an additional SQL database lookup.

Alternatively you can add a line to the hook so that it only changes 
the username of "anonymous" for accounting.

You can add something like this to the hook (and test it of course).

     else
     {
         if (${$p}->code() eq 'Accounting-Request' )
         {
             # only change the User-Name if it is 'anonymous'
             my $user = ${$p}->getUserName;
             return unless $user eq 'anonymous';
             .....



A third option is to use the Class attribute and add a Handler for 
accounting for TTLS only. You will need to do some tests with your 
equipment to see whether or not the Class attribute is returned in the 
accounting requests.

regards

Hugh


On 07/01/2004, at 1:52 AM, Sevcik Berndt wrote:

> I use TTLS for authentication. In the SQL database the User is always 
> shown
> as anonymous. I found out that the problem can be solved with the 
> following
> lines in the configuration (goodies/eap_ttls.cfg):
> 	PreProcessingHook file:"goodies/eap_anon_hook.pl"
> 	PostAuthHook file:"goodies/eap_anon_hook.pl"
>
> There these lines are in the Handler clause. When you look at my
> configuration I use one Handler four both PEAP and TTLS configuration. 
> But
> PEAP works without this patch. How can I only apply this patch to TTLS
> Accounting?
>
> AuthPort 1645
> AcctPort 1646
>
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <ClientListSQL>
>         DBSource        dbi:mysql:radius
>         DBUsername      root
>         DBAuth          letmein
> </ClientListSQL>
>
> <AuthBy SQL>
>     Identifier SQLAccounting
>     AuthSelect
>     DBSource    dbi:mysql:radius
>     DBUsername  root
>     DBAuth      letmein
>     AccountingTable     ACCOUNTING
>     AcctColumnDef       USERNAME,User-Name
>     AcctColumnDef       TIME_STAMP,Timestamp,integer
>     AcctColumnDef       ACCTSTATUSTYPE,Acct-Status-Type
>     AcctColumnDef       ACCTDELAYTIME,Acct-Delay-Time,integer
>     AcctColumnDef       ACCTINPUTOCTETS,Acct-Input-Octets,integer
>     AcctColumnDef       ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>     AcctColumnDef       ACCTSESSIONID,Acct-Session-Id
>     AcctColumnDef       ACCTSESSIONTIME,Acct-Session-Time,integer
>     AcctColumnDef       ACCTTERMINATECAUSE,Acct-Terminate-Cause
>     AcctColumnDef       NASIDENTIFIER,NAS-Identifier
>     AcctColumnDef       NASPORT,NAS-Port,integer
>     AcctColumnDef       FRAMEDIPADDRESS,Framed-IP-Address
>
>     #AcctFailedLogFileName %D/missedaccounting
> </AuthBy>
>
> <AuthBy FILE>
>     Identifier OUTERAuthentication
>     Filename %D/users
>     EAPType PEAP,TTLS
>     EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>     EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>     EAPTLS_CertificateType PEM
>     EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>     EAPTLS_PrivateKeyPassword whatever
>     EAPTLS_MaxFragmentSize 1000
>     #EAPTLS_DHFile %D/certificates/cert/dh
>     #EAPTLS_CRLCheck
>     #EAPTLS_CRLFile %D/certificates/crl.pem
>     #EAPTLS_CRLFile %D/certificates/revocations.pem
>     AutoMPPEKeys
>     SSLeayTrace 4
> </AuthBy>
>
> <Handler TunnelledByPEAP=1>
>     RewriteUsername s/(.*)\\(.*)/$2/
>     <AuthBy LDAP2>
>         Identifier      LDAPPEAPAuthentication
>         RcryptKey       whatever
>         Host            10.2.4.21
>         AuthDN          cn=admin, dc=tgm, dc=ac, dc=at
>         AuthPassword    sUpp.rT
>         BaseDN          ou=People,ou=admin,dc=tgm,dc=ac,dc=at
>         UsernameAttr    uid
>         PasswordAttr    profilePath
>         AuthAttrDef     radiusAuthType,GENERIC,check
>
>         # You can enable debugging of the Net::LDAP
>         # module with this:
>         # Debug 255
>
>         EAPType MSCHAP-V2
>     </AuthBy>
> </Handler>
>
> <Handler TunnelledByTTLS=1>
>     RewriteUsername s/(.*)\\(.*)/$2/
>     <AuthBy LDAP2>
>         Identifier      LDAPTTLSAuthentication
>         RcryptKey       whatever
>         Host            10.2.4.21
>         AuthDN          cn=admin, dc=tgm, dc=ac, dc=at
>         AuthPassword    sUpp.rT
>         BaseDN          ou=People,ou=admin,dc=tgm,dc=ac,dc=at
>         UsernameAttr    uid
>         PasswordAttr    scriptPath
>         # AuthAttrDef   radiusAuthType,GENERIC,check
>
>         # You can enable debugging of the Net::LDAP
>         # module with this:
>         # Debug 255
>
>         # EAPType MSCHAP-V2
>     </AuthBy>
> </Handler>
>
>
> <Handler Request-Type = Accounting-Request>
>     AuthBy SQLAccounting
> </Handler>
>
> <Handler>
>     # AuthByPolicy ContinueWhileReject
>     AuthBy OUTERAuthentication
>     # AuthBy PEAPAuthentication
> </Handler>
>
> Thanks
> Berndt
>
> -----------------------------------------
> TGM - Die Schule der Technik
> IT-Service
> A-1200 Wien, Wexstr. 19-23
> Tel. +43(1)33126/316 Fax: +43(1)33126/154
> E-Mail: berndt.sevcik at tgm.ac.at
> -----------------------------------------
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list