FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

robinson
Hi guys,

we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).

Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
We have set this setting to yes in our config:

ttls {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "eduroam-inner-tunnel"
        }

        peap {
                tls = tls-common
                default_eap_type = mschapv2
                copy_request_to_tunnel = yes
                use_tunneled_reply = yes
                virtual_server = "eduroam-inner-tunnel"
        }

Thanks for your help.

Cheers,
Thorsten

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Alejandro Perez-Mendez
Hi Thorsten,

We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.

We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30

If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.

Best regards,
Alejandro

El 19/11/18 a las 16:05, Thorsten Fritsch escribió:

> Hi guys,
>
> we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
> seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
> hard to identify our eduroam users (user tracking).
>
> Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
> case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
> We have set this setting to yes in our config:
>
> ttls {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
>          peap {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
> Thanks for your help.
>
> Cheers,
> Thorsten
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

robinson
Hi Alejandro,

thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:

Access Accept from FR to NAS:
(22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Type = VLAN
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Medium-Type = IEEE-802
(22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Private-Group-Id = "822"
(22) Tue Nov 20 16:51:07 2018: Debug:   User-Name := "[hidden email]<mailto:[hidden email]>"
(22) Tue Nov 20 16:51:07 2018: Debug:   Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
(22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
(22) Tue Nov 20 16:51:07 2018: Debug:   EAP-Message = 0x030b0004
(22) Tue Nov 20 16:51:07 2018: Debug:   Message-Authenticator = 0x00000000000000000000000000

Accounting Request from NAS to FR Port 1813 (Accounting Server):
(11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
(11) Tue Nov 20 11:23:28 2018: Debug:   User-Name = "[hidden email]<mailto:[hidden email]>"
(11) Tue Nov 20 11:23:28 2018: Debug:   Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(11) Tue Nov 20 11:23:28 2018: Debug:   NAS-Port = 8
(11) Tue Nov 20 11:23:28 2018: Debug:   NAS-IP-Address = 10.33.6.2
(11) Tue Nov 20 11:23:28 2018: Debug:   Framed-IP-Address = 10.172.40.114

It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.

Thanks,
Thorsten


From: Alejandro Perez-Mendez [via FreeRADIUS] <[hidden email]>
Sent: Tuesday, 20 November 2018 16:38
To: Thorsten Fritsch <[hidden email]>
Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Hi Thorsten,

We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.

We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30

If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.

Best regards,
Alejandro

El 19/11/18 a las 16:05, Thorsten Fritsch escribió:

> Hi guys,
>
> we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
> seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
> hard to identify our eduroam users (user tracking).
>
> Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
> case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
> We have set this setting to yes in our config:
>
> ttls {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
>          peap {
>                  tls = tls-common
>                  default_eap_type = mschapv2
>                  copy_request_to_tunnel = yes
>                  use_tunneled_reply = yes
>                  virtual_server = "eduroam-inner-tunnel"
>          }
>
> Thanks for your help.
>
> Cheers,
> Thorsten
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
To unsubscribe from Users, click here<
NAML<
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Alejandro Perez-Mendez
Hi Thorsten,

I did not know you migrated from 2.x to 3.x. Sure there will plenty of
changes, not only related to these ones. In any case, have you noticed
this excerpt in the inner_tunnel file?

     #
     #  Instead of "use_tunneled_reply", change this "if (0)" to an
     #  "if (1)".
     #
     if (0) {
         #
         #  These attributes are for the inner-tunnel only,
         #  and MUST NOT be copied to the outer reply.
         #
         update reply {
             User-Name !* ANY
             Message-Authenticator !* ANY
             EAP-Message !* ANY
             Proxy-State !* ANY
             MS-MPPE-Encryption-Types !* ANY
             MS-MPPE-Encryption-Policy !* ANY
             MS-MPPE-Send-Key !* ANY
             MS-MPPE-Recv-Key !* ANY
         }

         #
         #  Copy the inner reply attributes to the outer
         #  session-state list.  The post-auth policy will take
         #  care of copying the outer session-state list to the
         #  outer reply.
         #
         update {
             &outer.session-state: += &reply:
         }
     }

Just switch that (0) to (1) and comment the line regarding User-Name.
Also, add

         update reply {
              User-Name := &request:User-Name
         }

to the beginning of the post-auth section in that file.

Regards,
Alejandro

El 22/11/18 a las 16:02, Thorsten Fritsch escribió:

> Hi Alejandro,
>
> thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
> from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:
>
> Access Accept from FR to NAS:
> (22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Type = VLAN
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Medium-Type = IEEE-802
> (22) Tue Nov 20 16:51:07 2018: Debug:   Tunnel-Private-Group-Id = "822"
> (22) Tue Nov 20 16:51:07 2018: Debug:   User-Name := "[hidden email]<mailto:[hidden email]>"
> (22) Tue Nov 20 16:51:07 2018: Debug:   Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
> (22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
> (22) Tue Nov 20 16:51:07 2018: Debug:   MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
> (22) Tue Nov 20 16:51:07 2018: Debug:   EAP-Message = 0x030b0004
> (22) Tue Nov 20 16:51:07 2018: Debug:   Message-Authenticator = 0x00000000000000000000000000
>
> Accounting Request from NAS to FR Port 1813 (Accounting Server):
> (11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
> (11) Tue Nov 20 11:23:28 2018: Debug:   User-Name = "[hidden email]<mailto:[hidden email]>"
> (11) Tue Nov 20 11:23:28 2018: Debug:   Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
> (11) Tue Nov 20 11:23:28 2018: Debug:   NAS-Port = 8
> (11) Tue Nov 20 11:23:28 2018: Debug:   NAS-IP-Address = 10.33.6.2
> (11) Tue Nov 20 11:23:28 2018: Debug:   Framed-IP-Address = 10.172.40.114
>
> It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.
>
> Thanks,
> Thorsten
>
>
> From: Alejandro Perez-Mendez [via FreeRADIUS] <[hidden email]>
> Sent: Tuesday, 20 November 2018 16:38
> To: Thorsten Fritsch <[hidden email]>
> Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
>
> Hi Thorsten,
>
> We found a similar issues where User-Name was being duplicate, having
> both, inner and outer values.
> That made that some NAS were taking the outer one since it appeared first.
>
> We pushed a fix upstream
> https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30
>
> If your issue is the same, you just need to backport that change to your
> "default" site and check whether it fixes it.
>
> Best regards,
> Alejandro
>
> El 19/11/18 a las 16:05, Thorsten Fritsch escribió:
>
>> Hi guys,
>>
>> we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
>> seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
>> hard to identify our eduroam users (user tracking).
>>
>> Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
>> case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
>> We have set this setting to yes in our config:
>>
>> ttls {
>>                   tls = tls-common
>>                   default_eap_type = mschapv2
>>                   copy_request_to_tunnel = yes
>>                   use_tunneled_reply = yes
>>                   virtual_server = "eduroam-inner-tunnel"
>>           }
>>
>>           peap {
>>                   tls = tls-common
>>                   default_eap_type = mschapv2
>>                   copy_request_to_tunnel = yes
>>                   use_tunneled_reply = yes
>>                   virtual_server = "eduroam-inner-tunnel"
>>           }
>>
>> Thanks for your help.
>>
>> Cheers,
>> Thorsten
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> --
> Alejandro Perez-Mendez
> Technical Specialist (AAA), Trust & Identity
> M (+34) 619 333 219
> Skype alejandro_perez_mendez
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ________________________________
> If you reply to this email, your message will be added to the discussion below:
> http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
> To unsubscribe from Users, click here<
> NAML<
http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Martin Pauly
Hi Thorsten,

>           update {
>               &outer.session-state: += &reply:
 
>           update reply {
>                User-Name := &request:User-Name

we've had these settings since we started FR 3.0, but the problem persisted nevertheless
(not all records were affected, though).

A software upgrade on the Cisco Wireless controllers (e.g AIR-CT5520-K9)
to Version 8.3.143.0 finally did the trick. The NAS has to comply, too, of course.
But I suppose in your case it was OK before the RADIUS switch,
so the Wireless controller is not the first component to look at.

Cheers, Martin


--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: [hidden email]
   D-35032 Marburg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment