[RADIATOR] Inner and outer authentication

Heikki Vatiainen hvn at open.com.au
Thu Feb 23 09:10:39 CST 2012 

On 02/23/2012 11:59 AM, Nuno Marques wrote:

Hello Nuno,

> While storing the accounting information of a TTLS authentication I noticed
> that the login name being stored is the outer one and the inner
> authentication (the real one) is missing in the accounting.
> Is there a way to get my accounting filled up with the inner login and not
> with the outer login?

Try adding adding 'AddToReply User-Name=%y' in PessoalAlunos AuthBy (the
inner AuthBy). The username should then be returned with Access-Accept
to the NAS. The NAS should then use it as User-Name for the accounting
requests. See this for more:

http://tools.ietf.org/html/rfc2865#section-5.1

Note that this exposes the real username which TTLS hides. If this is
not acceptable, see goodies/eap_anon_hook.pl for another alternative.

Heikki


> Best regards,
> Nuno Marques
> 
> Here's some of the code that I'm using:
> 
> <AuthBy LDAP2>
>         Identifier      PessoalAlunos
>         Host            ubi.pt
>         Port            3268
>         EAPType         PEAP, TTLS, TLS
>         EAPTLS_CAFile /etc/radiator/certificate.pem
>         EAPTLS_CertificateFile /etc/radiator/certificate.pem
>         EAPTLS_CertificateType PEM
>         EAPTLS_PrivateKeyFile /etc/radiator/key.pem
>         EAPTLS_PrivateKeyPassword whatever
>         EAPTLS_MaxFragmentSize 1000
>         AutoMPPEKeys
>         SSLeayTrace 4
>         AuthDN          cn=ldap,cn=Users,dc=ubi,dc=pt
>         AuthPassword    rt78mn!"
>         BaseDN          dc=ubi,dc=pt
>         Scope           sub
>         UsernameAttr    cn
>         ServerChecksPassword
> </AuthBy>
> 
> <Handler Realm=/pessoal.ubi.pt/i, TunnelledByTTLS=1>
>         AuthByPolicy ContinueAlways
>         AuthBy SQLAccounting
>         RewriteUsername s/^([^@]+).*/$1/
>         AuthLog localusers
>         AcctLogFileName %L/%Y-%m-local-detail
>         AuthBy PessoalAlunos
> </Handler>
> 
> <Handler Realm=/pessoal.ubi.pt/i>
>         AuthByPolicy ContinueAlways
>         AuthBy SQLAccounting
>         AuthLog localusers
>         AcctLogFileName %L/%Y-%m-local-detail
>         AuthBy PessoalAlunos
> </Handler>
> 
> 
> ________________________________
> 
> UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list