[RADIATOR] fticks anonymization in Radiator
Heikki Vatiainen
hvn at open.com.au
Fri May 3 03:00:56 CDT 2013
On 05/02/2013 12:15 PM, Johan Carlquist wrote:
> We intend to have 2 options;
> * hash the whole mac address
> * save the vendor part of the address and hash the rest.
>
> When we have written the code we would love to commit it upstream to Radiator for others to use.
>
> But we are not sure how to implement this.
> Should we put our new feature in the syslog module or is it possible to create a new module that inherits and depends on the already existing syslog module?
> What is best practice and what do you recommend?
This is something I'd do for a proxy: Use ReplyHook to catch replies and
then do something like this:
sub {
my $p = ${$_[0]}; # proxy reply packet
my $rp = ${$_[1]}; # reply packet to NAS
my $op = ${$_[2]}; # original request packet
my $sp = ${$_[3]}; # packet sent to proxy
my $csi = $op->get_attr('Calling-Station-Id');
$op->add_attr('X-FTicks', $csi . 'foobar');
}
That is, take the Calling-Station-Id from the original request, hash it
(denoted by adding foobar to $csi in the example) and then add a
specific local attribute in the original request.
The AuthLog logging could be something like:
LogSuccess
LogFailure
SuccessFormat
F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=%{eduroam-SP-Country}#VISINST=%{Operator-Name}#CSI=%{X-FTicks}#RESULT=OK#
FailureFormat
F-TICKS/eduroam/1.0#REALM=%R#VISCOUNTRY=%{eduroam-SP-Country}#VISINST=%{Operator-Name}#CSI=%{X-FTicks}#RESULT=FAIL#
If you authenticate locally, you could use PostAuthHook to add X-FTicks.
To save some CPU cycles, you could leave the hook immediately if the
$op->code() is not accept or result or in case of PostAuthHook the
result is not accept or reject.
The above is roughly what one federation level server does in your
neighbour country. The CSI hashing is done as a part of other
processing, not like I have suggested above, but the logging uses the
freshly generated local only attribute just like above.
To summarise: I do not think FTicks needs to extend any AuthLog module
but instead you can just generate a special internal attribute that is
the hashed CSI and then log this attribute.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list