(RADIATOR) TTLS Anonymous and RADONLINE

Hugh Irvine hugh at open.com.au
Wed Jan 28 19:33:14 CST 2004


Hello Michael -

The simplest thing to do is add a bit of code to the hook so it updates 
the session database as well.

regards

Hugh


On 29 Jan 2004, at 11:44, Michael Harlow wrote:

>
> Hello.
>
> I have TTLS/PAP running (With SQL), and use the eap_anon_hook.pl in 
> both
> "PreProcessingHook" and "PostAuthHook", so that the RADONLINE table 
> contains
> inner user names, so accounting records contain the inner name, and not
> anonymous.
>
> I've turned on SessionDatabase SQL option, to create a table of 
> currently
> connected users, and it contains the outer name, not the inner name.
>
> Does anyone know a way around this?
>
> Thanks, Michael
>
>
> -------------------------------------------------
> Michael Harlow              GPO Box 252-69
> Network Engineer            Hobart Tasmania 7001
> IT Resources                Ph  03 6226 1812
> University of Tasmania      Mob 0438 26 1812
> Michael.Harlow at utas.edu.au  Fx  03 6226 7171
> -------------------------------------------------
>
> +++++++++++++++++++++++++++++++++++++++++++++++++
>
> <SessionDatabase SQL>
>         DBSource        dbi:mysql:database=XXXX;host=XXXXX
>         DBUsername      XXXX
>         DBAuth          XXXX
> </SessionDatabase SQL>
>
> <Realm DEFAULT>
>         <AuthBy SQL>
>                 EAPType TTLS
>                 DBSource        dbi:mysql:database=XXXX;host=XXXX
>                 DBUsername      XXXX
>                 DBAuth          XXXX
>
>                 AccountingTable ACCOUNTING
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   ACCTTERMINATECAUSE,Acct-Terminate-Cause
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   STATIONID,Calling-Station-Id
>
>                 AuthSelect select ENCRYPTEDPASSWORD from SUBSCRIBERS 
> where
> USERNAME = '%n'
>                 EncryptedPassword
>
>                 AcctFailedLogFileName %D/missedaccounting
>
>                 EAPTLS_CAFile %D/certificates/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/xxxx.crt
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/xxxx.key
>                 EAPTLS_PrivateKeyPassword xxxx
>                 EAPTLS_MaxFragmentSize 1000
>                 EAPTLS_SessionResumption no
>
>                 AutoMPPEKeys
>         </AuthBy>
>
>         # These hooks fix the problem with some implementations of 
> TTLS,
> where the
>         # accounting requests have the User-Name of anonymous, instead 
> of
> the real
>         # users name. After authenticating the inner TTLS request, the
>         # PostAuthHook caches the _real_ user name in an SQL table,
>         # The PreProcessingHook replaces the 'anonymous' user name in
> accounting
>  	  # requests with the real user name that was previously cached for 
> the
> NAS
>         # and NAS-Port.
>         # You can see the correct real User-Name logged in the
> AcctLogFileName
>
>         PreProcessingHook
> file:"/usr/local/Radiator-3.8/goodies/eap_anon_hook.pl"
>         PostAuthHook 
> file:"/usr/local/Radiator-3.8/goodies/eap_anon_hook.pl"
> </Realm>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list