[RADIATOR] EAP-TTLS, Double Requests, & Accounting

Michael Tipton mtipton at neonova.net
Fri Apr 28 19:36:45 UTC 2017 

I am working with some cambium wireless equipment. So far I have been able
to get radiator the send back Access-Accepts, and the device is able to get
online and browse.

However I am seeing some weird behavior, I am seeing another request for
the anonymous user that is accepted after the actual user is sent the first
accept. Any ideas why this maybe happening?

The other issue I am having is that the accounting data (start/stop/alive)
are logging as the anonymous username. I have tried using EAPAnonymous %0
option, I've tried adding in just a accounting handler, I've tried the
eap_anon_hook.pl, as well as the eap_acct_username.pl scripts to no avail.

My Access-Accepts are sending the correct username, however, it appears the
device is not using that as some do when it is passed the right username in
the access-accept for the rest of accounting.

I have attached my handlers, as well as a level 6 trace debug. Any help
would be greatly appreciated!

Thanks,
-- 

[image: photo]
Michael Tipton
Network Engineer at NeoNova
919-460-3330 (opt 1) • mtipton at neonova.net
www.neonova.net <https://neonova.net>
<https://www.facebook.com/NeoNovaNNS/>  <https://twitter.com/NeoNova_NNS>
<http://www.linkedin.com/company/neonova-network-services>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20170428/6a90ba6f/attachment-0001.html>
-------------- next part --------------
<Handler TunnelledByTTLS = 1>
	PostProcessingHook file:"%D/handlers/eap_acct_username.pl"	 
        <AuthBy FILE>
                Filename %D/users/dsl/users
	</AuthBy>
</Handler>

<Handler Request-Type = Accounting-Request>
	PreProcessingHook file:"%D/handlers/eap_anon_hook.pl"
	AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
<Handler>
	SessionDatabase customer

   	PasswordLogFileName /var/tmp/password.log

   	## Hooks
   	PostAuthHook file:"%D/handlers/postAuth-hook.pl"
   	PreProcessingHook file:"%D/handlers/preProcessing-hook.pl"
	
	## Forward Account Data to Central server else log to local DB
        <AuthBy RADIUS>
                AddToRequest Signature=customer,Token=%R
                IgnoreAuthentication
                #NoForwardAuthentication
                Host xx.xx.xx.xx
                AcctPort 5051
                Secret mysecret

                # If no reply is received, send it to the AuthBy SQL below
                NoReplyHook sub {Radius::AuthGeneric::find('AcctDB_customer')->handle_request(${$_[0]});}
        </AuthBy>

	<AuthBy FILE>
		EAPType TTLS
		EAPTLS_CAFile %D/certificates/cacert_aaasvr.pem
		EAPTLS_CertificateFile %D/certificates/aaasvr_cert.pem
		EAPTLS_CertificateType PEM
		EAPTLS_PrivateKeyFile %D/certificates/aaasvr_key.pem
		EAPTLS_PrivateKeyPassword xxxxxxxxx
		EAPTLS_MaxFragmentSize 1000
		AutoMPPEKeys
		EAPAnonymous %0
	</AuthBy>

	
	AcctLogFileFormat %Y%m%d %H:%M:%S;%n;%{NAS-IP-Address};%{Acct-Session-Id};%{Acct-Status-Type};\
                          %{Timestamp};%{NAS-Port};%{Acct-Delay-Time};%{Acct-Session-Time};\
                          %{NNS-User-Type};%{Acct-Input-Octets};%{Acct-Output-Octets};%{Framed-IP-Address};\
                          %{NAS-Port-Type};%{Acct-Terminate-Cause}
        AcctLogFileName /var/log/radacct/%Y%m%d_au%{GlobalVar:auPort}-ac%{GlobalVar:acPort}.accounting
</Handler>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20170428_au1812-ac1813.logfile
Type: application/octet-stream
Size: 39153 bytes
Desc: not available
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20170428/6a90ba6f/attachment-0001.obj>

More information about the radiator mailing list