[RADIATOR] fticks anonymization in Radiator

[Johan Carlquist]

On 24 May 2013, at 16:02, Heikki Vatiainen <hvn at open.com.au> wrote:

> On 05/08/2013 03:43 PM, Johan Carlquist wrote:
>> I liked the idea with an hook instead of patching a whole module, or creating a new one. 
>> 
>> This is what we have come up with:
>> https://github.com/stockholmuniversity/radiator-fticks-anonymizer
>> 
>> Any ideas or comment on our hook?
> 
> I gave it a try and it worked for me. You may want to consider these
> additions and changes:
> 
> Near the top you could add this:
> 
>    my $result = $_[2];
> 
>    return unless $p->code() eq 'Access-Request';
>    return unless ($$result == $main::ACCEPT || $$result == $main::REJECT);
> 
> This skips hashing e.g., accounting requests and hashes only responses
> that will be logged by an AuthLog. With EAP there will be lost of
> challenges that do not need to be touched.

Thanks! Good idea. 
I added that in my last commit.

> One method to handle different MAC address formats (dashed, dotted,
> etc.) might be to remove all non-hex characters, uppercase or lowercase
> what was left and only complain if you have something else than 12 hex
> characters left.
> 
> This will drop any potential prefix or suffix and make sure the CSI will
> be look the same before it gets hashed no matter which vendor's
> equipment was used for the WLAN service.

Our goal was to clone the behavior that Radsecproxy has. 
http://software.uninett.no/radsecproxy 

What I can understand Radsecproxy prints the first half as it was received
and hash the rest (stripped from delimiters).
Thats why we need to determine the delimiters and have multiple handlers
to print them correctly.

____________________________________

Johan Carlquist

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden

www.su.se/it
____________________________________