(RADIATOR) rewrite User-Name in access-accept??

Luis Guido lguido at fccn.pt
Wed Jun 23 05:58:37 CDT 2004 

I forgot to tell you that the User-Name is only correctly handled by ISO
12.2(15)JA. The 12.2(13) had an anoying bug that could make the username
have an extra byte. The previous IOS didn't handle the User-Name
attribute at all.

Regards,
Luis Guido

> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of Luis Guido
> Sent: Wednesday, June 23, 2004 10:47
> To: 'Jeff Wolfe'; radiator at open.com.au
> Subject: RE: (RADIATOR) rewrite User-Name in access-accept??
> 
> 
> Hi Jeff,
> 
> That's how we handle the same issue here (Cisco 1200 & 1100):
> 
> <Handler Realm=myrealm.pt>
>         RewriteUsername s/^([^@]+).*/$1/
>         <AuthBy FILE>
>                 EAPType                         PEAP, TTLS
>                 EAPTLS_CAFile /etc/radius/cert/demoCA/cacert.pem
>                 EAPTLS_CertificateFile /etc/radius/cert/cert-srv.pem
>                 EAPTLS_CertificateType          PEM
>                 EAPTLS_PrivateKeyFile /etc/radius/cert/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword       whatever
>                 EAPTLS_MaxFragmentSize          1000
>                 AutoMPPEKeys
>                 SSLeayTrace                     4
>         </AuthBy>
>         AccountingHandled
> </Handler>
> 
> <Handler TunnelledByTTLS=1>
>         RewriteUsername s/^([^@]+).*/$1/
>         <AuthBy FILE>
>                 Filename                /etc/radius/users
>         </AuthBy>
>         AddToReply User-Name=%u
> </Handler>
> 
> This config works great for us, and reply's to the 
> Access-Accepted (not
> only the User-Name but also dynamic VLAN assignment)
> 
> *** Sending to 10.0.11.5 port 21660 ....
> Code:       Access-Accept
> Identifier: 21
> Authentic:
> <232><19><215>d<160><25>v<167>N<244><131><163><252><230><222><209>
> Attributes:
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:Ether_802
>         Tunnel-Private-Group-ID = 1:1111
>         User-Name = "inner-username at myrealm.pt"
>         MS-MPPE-Send-Key =
> "<201>I=<181>(<6>|<237><239><145><164>Z<242><200>F<19>Q<190><1
> 85>@<233>@
> <232><164>7Dm<252><152>T<28>~!<138><197><27>5<159><201><197><2
> 13>O<183><
> 199><232>Z<199>?<244><197>"
>         MS-MPPE-Recv-Key =
> "<219><170>1<133><18>+_*G<237><221><245><240><234><206><210><2
> 34>xTR_/<2
> 04><182><<152><224><158>B<249><28>2<143><240><212><209>}<238><
> 171>gH<240
> ><10><231><14><190><161><252><129><186>"
>         EAP-Message = <3><5><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> 
> Regards,
> Luis Guido
> 
> > -----Original Message-----
> > From: owner-radiator at open.com.au 
> > [mailto:owner-radiator at open.com.au] On Behalf Of Jeff Wolfe
> > Sent: Wednesday, June 23, 2004 00:26
> > To: radiator at open.com.au
> > Subject: (RADIATOR) rewrite User-Name in access-accept??
> > 
> > 
> > 
> > Is it possible to rewrite the username in the access-accept 
> > packet that 
> > radiator sends back as part of an EAP-TTLS packet?
> > 
> > I'm specifically interested in replacing the outer username 
> > In EAP-TTLS with 
> > the inner username.
> > I'm arguing with Cisco over accounting with EAP-TTLS, they 
> > claim the AP1200 
> > listens to the user-name in the access-accept packet for the 
> > user-name used in 
> > the accounting start and stop packets that follow.
> > 
> > I'm not so sure, but based on observation of the transaction 
> > with a sniffer, 
> > radiator does not send a user-name attribute in the 
> > access-accept packet at all.
> > 
> > To make matters worse, when I use "AddToReply" to add a 
> > user-name attribute, I 
> > get 2 in the packet; the "user-name=anonymous" I don't want and the 
> > "user-name=luser" that I added.
> > 
> > My brain is fried at the moment, so I'm going to wait until 
> > tomorrow to go look 
> > at the code again. :)
> > 
> > thanks
> > 
> > -JEff
> > 
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> > 
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list