[RADIATOR] PostProcessingHook Placement for eap_acct_username.pl

Hugh Irvine hugh at open.com.au
Thu Oct 1 18:02:56 CDT 2009 

Hello Michael -

Usually the easiest way to do this is to return the real username in  
the access accept in a User-Name attribute.

Most access points will then use the supplied username in the  
subsequent accounting requests.

Something like this:


<Handler TunnelledByTTLS = 1>
	<AuthBy ....>
		AddToReply User-Name = %{User-Name}
	</AuthBy>
</Handler>

<Handler TunnelledByPEAP = 1>
	<AuthBy ....>
		AddToReply User-Name = %{User-Name}
	</AuthBy>
</Handler>

<Handler>
	<AuthBy FILE>
		EAPType ....
		......
		EAPAnonymous %0
	</AuthBy>
</Handler>


Otherwise, if you want to use the hook(s), you also need to call it  
for the accouting requests, something like this:


<Handler Request-Type=Accounting-Request>

PreProcessingHook file:"/etc/radiator/eap_anon_hook.pl"

<AuthBy SQL>
DBSource dbi:mysql:radius:127.0.0.1
#DBSource dbi:mysql:public:127.0.0.1
DBUsername ######
DBAuth ########
HandleAcctStatusTypes Start,Stop
# This statement inserts the accounting information into the SQL  
database.

AcctSQLStatement insert into public values('%{Acct-Session-Id}','% 
{Timestamp}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status- 
Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}');

</AuthBy>

</Handler>


<Handler>

PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"

<AuthBy LDAP2>
#Directory server info
Host            ###########
Port            389
BaseDN          o=##########

UsernameAttr    uid
ServerChecksPassword

#Allowed EAP Types

EAPType         TTLS

#Certificate stuff

EAPTLS_MaxFragmentSize 1000
EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 2048

AutoMPPEKeys
#       EAPTLS_PEAPBrokenV1Label
#       EAPTLS_PEAPVersion 0\

SSLeayTrace 4

HoldServerConnection
Timeout                 2
FailureBackoffTime      30
Version 3
</AuthBy>

</Handler>


See "goodies/eap_ttls.cfg" and "goodies/eap_peap.cfg" for an example.

hope that helps

regards

Hugh


On 2 Oct 2009, at 05:50, michael wrote:

> Hi,
>
> I've been lurking for a while but have finally hit a wall. I need to
> prevent users from being logged as 'anonymous'. I understand that this
> is the outer ID and that I need to copy the inner ID to the outer ID
> after processing to fix this. I am aware of the eap_acct_username.pl
> script in the goodies folder. I tried adding the PostProcessingHook to
> my Handler, but I am still seeing anonymous entries in the logs. I
> figured I had misplaced the statement in the configuration, but upon
> moving it to either before or after the Authby clause within the
> handler, I am still having trouble. I'm going to attach my  
> configuration
> without passwords. I get no errors in the level 5 trace debug output
> upon starting Radiator. Is there something I overlooked? I can provide
> more information if needed.
>
> Debug:
> Thu Oct  1 12:30:00 2009: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Thu Oct  1 12:30:00 2009: DEBUG: Reading dictionary file
> '/etc/radiator/dictionary'
> Thu Oct  1 12:30:00 2009: DEBUG: Creating authentication port  
> 0.0.0.0:1645
> Thu Oct  1 12:30:00 2009: DEBUG: Creating accounting port 0.0.0.0:1646
> Thu Oct  1 12:30:00 2009: NOTICE: Server started: Radiator 4.4 on  
> hostname
> Thu Oct  1 12:30:04 2009: DEBUG: Packet dump:
>
> Details:
> -Radiator 4.4 on Solaris 10 x86
> -Authentication done via EAP-TTLS PAP
> -LDAP backend
>
> Config:
>
> ##########                      ##########
> #####   Radiator Configuration       #####
> #########                       ##########
>
> ##      Updated 8/16/09 jg
>
> <Handler Request-Type=Accounting-Request>
>
> <AuthBy SQL>
> DBSource dbi:mysql:radius:127.0.0.1
> #DBSource dbi:mysql:public:127.0.0.1
> DBUsername ######
> DBAuth ########
> HandleAcctStatusTypes Start,Stop
> # This statement inserts the accounting information into the SQL  
> database.
>
> AcctSQLStatement insert into public values('%{Acct-Session-Id}','% 
> {Timestamp}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status- 
> Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}');
>
> </AuthBy>
>
> </Handler>
>
> #These are the subnets from which calls to the RADIUS server are  
> allowed.
>
> <Client localhost>
>        Secret #######
>        DupInterval 0
> </Client>
>
> <Client 0.0.0.0/24>
> 	Secret #######
> 	DupInterval 0
> </Client>
>
> <Client 0.0.0.0/23>
>        Secret #######
>        DupInterval 0
> </Client>
>
>
>
> <Handler>
>
> PostProcessingHook file:"/etc/radiator/eap_acct_username.pl"
>
> <AuthBy LDAP2>
> #Directory server info
> Host            ###########
> Port            389
> BaseDN          o=##########
>
> UsernameAttr    uid
> ServerChecksPassword
>
> #Allowed EAP Types
>
> EAPType         TTLS
>
> #Certificate stuff
>
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem
> EAPTLS_CertificateType PEM
> EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem
> EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 2048
>
> AutoMPPEKeys
> #       EAPTLS_PEAPBrokenV1Label
> #       EAPTLS_PEAPVersion 0\
>
>
> SSLeayTrace 4
>
>
>
> HoldServerConnection
> Timeout                 2
> FailureBackoffTime      30
> Version 3
> </AuthBy>
>
> <Log FILE>
> Filename logfile
> </Log>
>
>
> #############################################
> #############################################
>
>
>
>
>
> Thanks,
> Michael R.
>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list