(RADIATOR) Accounting with Anonymous EAP / RFC 2865

Rok Papez rok.papez at arnes.si
Thu Nov 18 04:00:02 CST 2004


Hello!

We are using EAP-TTLS with anonymous at realm.tld for 
the outer identity. However we want accounting to be
sent for the inner identity.

Radiator ships a script for de-anonymising the accounting
requests with the use of MySQL database which is for our
use a bit unpracticle.

We use NAS-es that implement RFC2865 recommendation to send
accounting with the User-Name as set in Access-Accept.
Radiator sends the inner identity in outer reply with
this script:

=================================================================
radiusd.conf:
<Handler Realm=realm.tld>
        RewriteUsername s/^([^@]+).*/$1/
 [...]
        PostProcessingHook file:"/etc/eap_acct_username.pl"
</Handler>


=================================================================
eap_acct_username.pl:
#
# This hook fixes the problem with some implementations of TTLS, where the
# accounting requests have the User-Name of anonymous, instead of the real
# users name. 

sub
{
        my ($req, $rep, $handled, $reason) = @_;
        if (${$rep}->code() eq 'Access-Accept' )
        {
                my $req_username = ${$req}->{EAPIdentity};
                $req_username = ${$req}->getUserName() unless defined $req_username;
                if($req_username =~ m/^anonymous@(.*)$|^anonymous$/i) {
                        # This is outer replay.
                        # If we did have a realm, append it now.
                        if(!defined($1)) {
                                return;
                        }
                        ${$rep}->changeUserName(${$rep}->getUserName() . "\@" . $1);
                } else {
                        # Inner reply, copy the username to outer request (without realm).
                        ${$rep}->changeUserName($req_username) if defined $req_username;
                }
        }
}
=================================================================

This script comes without any warrenty and is put into "public domain".
You can use it anyway you want to in hope it will be usefull to
somebody else.

-- 
best regards,
Rok Papež.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list