[RADIATOR] fticks anonymization in Radiator

Heikki Vatiainen hvn at open.com.au
Fri May 24 09:02:31 CDT 2013


On 05/08/2013 03:43 PM, Johan Carlquist wrote:
> I liked the idea with an hook instead of patching a whole module, or creating a new one. 
> 
> This is what we have come up with:
> https://github.com/stockholmuniversity/radiator-fticks-anonymizer
> 
> Any ideas or comment on our hook?

I gave it a try and it worked for me. You may want to consider these
additions and changes:

Near the top you could add this:

    my $result = $_[2];

    return unless $p->code() eq 'Access-Request';
    return unless ($$result == $main::ACCEPT || $$result == $main::REJECT);

This skips hashing e.g., accounting requests and hashes only responses
that will be logged by an AuthLog. With EAP there will be lost of
challenges that do not need to be touched.

One method to handle different MAC address formats (dashed, dotted,
etc.) might be to remove all non-hex characters, uppercase or lowercase
what was left and only complain if you have something else than 12 hex
characters left.

This will drop any potential prefix or suffix and make sure the CSI will
be look the same before it gets hashed no matter which vendor's
equipment was used for the WLAN service.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list