(RADIATOR) rewrite User-Name in access-accept??
Luis Guido
lguido at fccn.pt
Wed Jun 23 04:47:11 CDT 2004
Hi Jeff,
That's how we handle the same issue here (Cisco 1200 & 1100):
<Handler Realm=myrealm.pt>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
EAPType PEAP, TTLS
EAPTLS_CAFile /etc/radius/cert/demoCA/cacert.pem
EAPTLS_CertificateFile /etc/radius/cert/cert-srv.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radius/cert/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
</AuthBy>
AccountingHandled
</Handler>
<Handler TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
<AuthBy FILE>
Filename /etc/radius/users
</AuthBy>
AddToReply User-Name=%u
</Handler>
This config works great for us, and reply's to the Access-Accepted (not
only the User-Name but also dynamic VLAN assignment)
*** Sending to 10.0.11.5 port 21660 ....
Code: Access-Accept
Identifier: 21
Authentic:
<232><19><215>d<160><25>v<167>N<244><131><163><252><230><222><209>
Attributes:
Tunnel-Type = 1:VLAN
Tunnel-Medium-Type = 1:Ether_802
Tunnel-Private-Group-ID = 1:1111
User-Name = "inner-username at myrealm.pt"
MS-MPPE-Send-Key =
"<201>I=<181>(<6>|<237><239><145><164>Z<242><200>F<19>Q<190><185>@<233>@
<232><164>7Dm<252><152>T<28>~!<138><197><27>5<159><201><197><213>O<183><
199><232>Z<199>?<244><197>"
MS-MPPE-Recv-Key =
"<219><170>1<133><18>+_*G<237><221><245><240><234><206><210><234>xTR_/<2
04><182><<152><224><158>B<249><28>2<143><240><212><209>}<238><171>gH<240
><10><231><14><190><161><252><129><186>"
EAP-Message = <3><5><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Regards,
Luis Guido
> -----Original Message-----
> From: owner-radiator at open.com.au
> [mailto:owner-radiator at open.com.au] On Behalf Of Jeff Wolfe
> Sent: Wednesday, June 23, 2004 00:26
> To: radiator at open.com.au
> Subject: (RADIATOR) rewrite User-Name in access-accept??
>
>
>
> Is it possible to rewrite the username in the access-accept
> packet that
> radiator sends back as part of an EAP-TTLS packet?
>
> I'm specifically interested in replacing the outer username
> In EAP-TTLS with
> the inner username.
> I'm arguing with Cisco over accounting with EAP-TTLS, they
> claim the AP1200
> listens to the user-name in the access-accept packet for the
> user-name used in
> the accounting start and stop packets that follow.
>
> I'm not so sure, but based on observation of the transaction
> with a sniffer,
> radiator does not send a user-name attribute in the
> access-accept packet at all.
>
> To make matters worse, when I use "AddToReply" to add a
> user-name attribute, I
> get 2 in the packet; the "user-name=anonymous" I don't want and the
> "user-name=luser" that I added.
>
> My brain is fried at the moment, so I'm going to wait until
> tomorrow to go look
> at the code again. :)
>
> thanks
>
> -JEff
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list