How to Reject Anonymous Identity

classic Classic list List threaded Threaded
17 messages Options
| Threaded
Open this post in threaded view
|

How to Reject Anonymous Identity

Selahattin Cilek

I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users. I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.

I already have a MySQL stored procedure named "is_login_allowed" that
checks if a user is in a locked state or not and I use it like this in
the *authorize* section of the *default*, *inner-tunnel-ttls*,
*inner-tunnel-peap* sites:

authorize{
     if ("%{sql: CALL is_login_allowed('%{User-Name}')}" == "0" ) {
         reject
     }

}

Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.

What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?

authorize{

if("%{outer.request.UserName}" != "%{inner.request.UserName}"){

     reject

     }

}




---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Alan DeKok-2

On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <[hidden email]> wrote:
>
> I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
> stepped into the world of RADIUS, I have been dealing with the issue of
> "anonymous" users.

  What do you mean by anonymous users?

  The normal operation is to only authenticate *known* users.  Everyone else is unknown, and un-authenticated.

> I have been abusing the *Class* attribute work around
> the problem, but after some deliberation, I've decided that it would be
> best if I could reject anonymous users right away.

  Perhaps there's debug output you could share...

> Currently, this store procedure can check if a user with a given name
> exists in the database, and if not, return *0* to make FreeRADIUS to
> reject access to that user.

  The default *is* to reject unknown users.  So if your system is allowing unknown users, then it's because of local changes you made to allow that.

> What I'd like to know though is that if there is a better, more elegant
> FreeRADIUSy way of achieving the same goal. For example, would something
> like below work?

  If you could describe in more detail what you're doing, we could help.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Dom Latter


On 02/11/2018 16:15, Alan DeKok wrote:
>
> On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <[hidden email]> wrote:
>>
>> I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
>> stepped into the world of RADIUS, I have been dealing with the issue of
>> "anonymous" users.
>
>    What do you mean by anonymous users?

People who set up an anonymous username that is different to the "real"
username authenticated in the inner tunnel.

>> What I'd like to know though is that if there is a better, more elegant
>> FreeRADIUSy way of achieving the same goal. For example, would something
>> like below work?

AIUI you need to pass the inner request name back to the outer.  We
are using this snippet, but so that we can log using the real, not
anonymous, username.

In inner tunnel
   post-auth {
     update outer.session-state {
        &User-Name = &User-Name
   }


Then in the default site you could try this:
   post-auth {
     if (&session-state:User-Name != &request:User-Name)
       reject
   }


NB untested and there's people who understand the code far better
than I do.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Selahattin Cilek
In reply to this post by Alan DeKok-2


On 2.11.2018 19:15, Alan DeKok wrote:


On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <[hidden email]><mailto:[hidden email]> wrote:



I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
stepped into the world of RADIUS, I have been dealing with the issue of
"anonymous" users.



  What do you mean by anonymous users?

"Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and  Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:

Nov 2 19:44:32  radiusd         65078   Login OK: [anonymous] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF)
Nov 2 19:44:32  radiusd         65078   Login OK: [60643462528] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF via TLS tunnel)

This user is using anonymous identity.




  The normal operation is to only authenticate *known* users.  Everyone else is unknown, and un-authenticated.

Yes, of course, obviously. But the problem is that the user can hide his true user name in the outer request.






I have been abusing the *Class* attribute work around
the problem, but after some deliberation, I've decided that it would be
best if I could reject anonymous users right away.



  Perhaps there's debug output you could share...

I did not want to deluge the message with debug output since this is not about an error I am getting. I just want to improve my configuration a little bit.






Currently, this store procedure can check if a user with a given name
exists in the database, and if not, return *0* to make FreeRADIUS to
reject access to that user.



  The default *is* to reject unknown users.  So if your system is allowing unknown users, then it's because of local changes you made to allow that.

Yes, but a user can choose to supply another false user name in the outer request, can't he?






What I'd like to know though is that if there is a better, more elegant
FreeRADIUSy way of achieving the same goal. For example, would something
like below work?



  If you could describe in more detail what you're doing, we could help.

I want to check if a user is using anonymous identity and reject access to him in the FreeRADIUS configuration, that is, without the help of MySQL. Something like: If he is using anonymous identity, do not let him in.




  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>      Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Scott Armitage


> On 2 Nov 2018, at 16:49, Selahattin Cilek <[hidden email]> wrote:
>
>
>
> On 2.11.2018 19:15, Alan DeKok wrote:
>
>
> On Nov 2, 2018, at 12:08 PM, Selahattin Cilek <[hidden email]><mailto:[hidden email]> wrote:
>
>
>
> I use FreeRADIUS 3.0.17 to provide services on a site. Ever since I
> stepped into the world of RADIUS, I have been dealing with the issue of
> "anonymous" users.
>
>
>
>  What do you mean by anonymous users?
>
> "Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and  Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:
>
> Nov 2 19:44:32  radiusd         65078   Login OK: [anonymous] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF)
> Nov 2 19:44:32  radiusd         65078   Login OK: [60643462528] (from client DAIRE_703 port 0 cli 34-23-87-7B-28-FF via TLS tunnel)
>
> This user is using anonymous identity.
>
>
>
>
>  The normal operation is to only authenticate *known* users.  Everyone else is unknown, and un-authenticated.
>
> Yes, of course, obviously. But the problem is that the user can hide his true user name in the outer request.
>

Thats kind of the point of the outer identity. Changing this will prevent clients from authenticating.

>
>
>
> Currently, this store procedure can check if a user with a given name
> exists in the database, and if not, return *0* to make FreeRADIUS to
> reject access to that user.
>
>
>
>  The default *is* to reject unknown users.  So if your system is allowing unknown users, then it's because of local changes you made to allow that.
>
> Yes, but a user can choose to supply another false user name in the outer request, can't he?

The outer identity isn’t used to authenticate the user.  The inner identity is.


Regards

Scott Armitage

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (201 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Alan DeKok-2
In reply to this post by Selahattin Cilek
On Nov 2, 2018, at 12:49 PM, Selahattin Cilek <[hidden email]> wrote:
> "Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and  Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:

  OK.  I understand all that.  Given the vagueness of the message, I wasn't sure what *you* meant by it.

> ... But the problem is that the user can hide his true user name in the outer request.

  That's sort of the point of the anonymous outer identity.

> Yes, but a user can choose to supply another false user name in the outer request, can't he?

  Which is why you only authenticate the user via the *inner* identity.

> I want to check if a user is using anonymous identity and reject access to him in the FreeRADIUS configuration, that is, without the help of MySQL. Something like: If he is using anonymous identity, do not let him in.

  Just look for the anonymous identity in the outer session.  This is why we tell people to read the debug output.  It *tells you* what's going on.

  In sites-enabled/default, do:

authorize {
        ...
        if (User-Name =~ /^anom/) {
                reject
        }

        ...
}

  Though the user can just change the outer identity to anything else.

  The question here is why do you care what the outer identity is?  All of the default configuration uses the inner identity for authenticating users.

  Again, the default configuration *works*.  If you've done something to allow weird things, then it's due to your local changes.  Don't do that...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Selahattin Cilek


On 2.11.2018 20:02, Alan DeKok wrote:

> On Nov 2, 2018, at 12:49 PM, Selahattin Cilek <[hidden email]> wrote:
>> "Anonymous" users those who use another user name in the outer EAP request. The option to use an anonymous (or "outer" or "secret" or "hidden") identity is enabled default on SecureW2 and  Windows 10's Microsoft EAP-TLS implementation and almost all devices can be configured to use it. This is a measure designed to prevent an attacker from getting a user's true user name by sniffing the packets that go between the NAS and the RADIUS server. Of course, when the request enters the the TLS tunnel, the server gets the user's true user name. I think these two lines from the log should make it clear:
>    OK.  I understand all that.  Given the vagueness of the message, I wasn't sure what *you* meant by it.
>
>> ... But the problem is that the user can hide his true user name in the outer request.
>    That's sort of the point of the anonymous outer identity.
>
>> Yes, but a user can choose to supply another false user name in the outer request, can't he?
>    Which is why you only authenticate the user via the *inner* identity.
>
>> I want to check if a user is using anonymous identity and reject access to him in the FreeRADIUS configuration, that is, without the help of MySQL. Something like: If he is using anonymous identity, do not let him in.
>    Just look for the anonymous identity in the outer session.  This is why we tell people to read the debug output.  It *tells you* what's going on.
>
>    In sites-enabled/default, do:
>
> authorize {
> ...
> if (User-Name =~ /^anom/) {
> reject
> }
>
> ...
> }
>
>    Though the user can just change the outer identity to anything else.

So Is the MySQL stored procedure approach is my best option? Is there
not a way to check the inner identity against the outer identity?

>
>    The question here is why do you care what the outer identity is?  All of the default configuration uses the inner identity for authenticating users.
>
>    Again, the default configuration *works*.  If you've done something to allow weird things, then it's due to your local changes.  Don't do that...

I do care because:
1. The Unifi APs that are employed on the site sometimes allow multiple
access from laptops to the network despite that fact that
"Simultaneous-Use" is set to "1" for every user in the database and I
suspect that is somehow connected with the cursed anonymous identity. To
illustrate, some users can first log in on their Android phones and then
leave the laptop open, which tries to log in again and again and some
time later, somehow, are connected to the network. As if that is not
enough, I receive no accounting packets for the laptop. There is one
particular user that confessed to once having downloaded 150GBs a night
from his laptop. He does that almost every night. My goal is to
distribute the connectivity and fairly as possible.
2. The Unifi APs do not know what is going on the FreeRADIUS server and
send back accounting packages that contain lines like "User-Name:
anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
attribute to circumvent this problem. I do not want to have to
circumvent anything. I want everything to be correct and in place.
3. This is a public and *FREE* network. The users do not have the luxury
of remaining anonymous. If they want to remain anonymous, they can buy
one of those LTE packages.

>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Alan DeKok-2
On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <[hidden email]> wrote:
> So Is the MySQL stored procedure approach is my best option? Is there
> not a way to check the inner identity against the outer identity?

   Yes.  See raddb/policy.d/filter

   Or, run the server in debug mode as suggested everywhere... you will see it compare inner to outer identity.

> I do care because:
> 1. The Unifi APs that are employed on the site sometimes allow multiple
> access from laptops to the network despite that fact that
> "Simultaneous-Use" is set to "1" for every user in the database and I
> suspect that is somehow connected with the cursed anonymous identity.

  Don't *suspect*.  Run the server in debug mode, and *learn*.

   Trying random things to "fix" a problem is just a waste of time.  You need to *understand* what it's doing, and how the configuration works.  That lets you come up with a solution.

> To
> illustrate, some users can first log in on their Android phones and then
> leave the laptop open, which tries to log in again and again and some
> time later, somehow, are connected to the network. As if that is not
> enough, I receive no accounting packets for the laptop.

  Simultaneous-Use need accounting packets...

  If you go to the Wiki and search for "Simultaneous-Use", you'll see a FAQ entry which says this.

> There is one
> particular user that confessed to once having downloaded 150GBs a night
> from his laptop. He does that almost every night. My goal is to
> distribute the connectivity and fairly as possible.

  Then fix the NAS so that it sends accounting packets.

  No amount of poking FreeRADIUS will magically have it know what the users doing.  Especially if the NAS isn't sending accounting packets.

> 2. The Unifi APs do not know what is going on the FreeRADIUS server and
> send back accounting packages that contain lines like "User-Name:
> anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
> attribute to circumvent this problem.

  Which is why the default config sends the *inner* username in the Access-Accept.  The NAS is *supposed* to use this User-Name in all accounting packets.

  If you use Class, you can just set "Class" to the inner User-Name.

  Or even better, reject *all* users where the outer User-Name is not the same as the outer User-Name,

  Again, running the server in debug mode and *reading* the output will tell you exactly how to do this.

> I do not want to have to
> circumvent anything. I want everything to be correct and in place.
> 3. This is a public and *FREE* network. The users do not have the luxury
> of remaining anonymous. If they want to remain anonymous, they can buy
> one of those LTE packages.

  99% of what you want to do is documented either in the Wiki or is visible in the debug output.

  It just takes *reading* the debug output.  And not trying random things.  That's a waste of time.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Alan Buxey
Umm

You are authenticating them , so you see their inner username and thus what
ever they have in their outerid is of no consequence.

Let them use whatever in their outerid as it's the innerid that matters and
what you use for policies

For simultaneous use checks the server, by default, will be using
accounting info , this you need to send info back to the NAS that can be
used in the accounting sessions and policy designed around

But you say this is a free network... What is wrong with a user having a
phone and a laptop? It's pretty common these days for a user to have 2 (or
more!) devices *and* user experience/expectations is to be able to use them
all (in fact, they may have to, doing eg something on their phone but then
having to get their laptop out to complete the task )

alan

On Fri, 2 Nov 2018, 17:50 Alan DeKok <[hidden email] wrote:

> On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <[hidden email]>
> wrote:
> > So Is the MySQL stored procedure approach is my best option? Is there
> > not a way to check the inner identity against the outer identity?
>
>    Yes.  See raddb/policy.d/filter
>
>    Or, run the server in debug mode as suggested everywhere... you will
> see it compare inner to outer identity.
>
> > I do care because:
> > 1. The Unifi APs that are employed on the site sometimes allow multiple
> > access from laptops to the network despite that fact that
> > "Simultaneous-Use" is set to "1" for every user in the database and I
> > suspect that is somehow connected with the cursed anonymous identity.
>
>   Don't *suspect*.  Run the server in debug mode, and *learn*.
>
>    Trying random things to "fix" a problem is just a waste of time.  You
> need to *understand* what it's doing, and how the configuration works.
> That lets you come up with a solution.
>
> > To
> > illustrate, some users can first log in on their Android phones and then
> > leave the laptop open, which tries to log in again and again and some
> > time later, somehow, are connected to the network. As if that is not
> > enough, I receive no accounting packets for the laptop.
>
>   Simultaneous-Use need accounting packets...
>
>   If you go to the Wiki and search for "Simultaneous-Use", you'll see a
> FAQ entry which says this.
>
> > There is one
> > particular user that confessed to once having downloaded 150GBs a night
> > from his laptop. He does that almost every night. My goal is to
> > distribute the connectivity and fairly as possible.
>
>   Then fix the NAS so that it sends accounting packets.
>
>   No amount of poking FreeRADIUS will magically have it know what the
> users doing.  Especially if the NAS isn't sending accounting packets.
>
> > 2. The Unifi APs do not know what is going on the FreeRADIUS server and
> > send back accounting packages that contain lines like "User-Name:
> > anonymous" or "User-Name: some_garbage"; that is why I use the "Class"
> > attribute to circumvent this problem.
>
>   Which is why the default config sends the *inner* username in the
> Access-Accept.  The NAS is *supposed* to use this User-Name in all
> accounting packets.
>
>   If you use Class, you can just set "Class" to the inner User-Name.
>
>   Or even better, reject *all* users where the outer User-Name is not the
> same as the outer User-Name,
>
>   Again, running the server in debug mode and *reading* the output will
> tell you exactly how to do this.
>
> > I do not want to have to
> > circumvent anything. I want everything to be correct and in place.
> > 3. This is a public and *FREE* network. The users do not have the luxury
> > of remaining anonymous. If they want to remain anonymous, they can buy
> > one of those LTE packages.
>
>   99% of what you want to do is documented either in the Wiki or is
> visible in the debug output.
>
>   It just takes *reading* the debug output.  And not trying random
> things.  That's a waste of time.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Hans-Christian Esperer
In reply to this post by Selahattin Cilek
Hi,

On Fri, Nov 02, 2018 at 05:32:34PM +0000, Selahattin Cilek wrote:
> 1. The Unifi APs that are employed on the site sometimes allow multiple
> access from laptops to the network despite that fact that
> "Simultaneous-Use" is set to "1" for every user in the database and I
[...]

Unifi APs always use a NAS-Port of 0 (instead of using a unique value) in all
accounting packets. I've reported this to the vendor but haven't gotten any
response so far.

When using radutmp to keep all current sessions, newer sessions delete old ones
because the tuple(AP,NAS-Port) is the primary key... radutmp in turn is used
for the Simultaneous-Use thing. (unless you use sql)

Cheers
 HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Olivier
Le ven. 2 nov. 2018 à 20:07, Hans-Christian Esperer <[hidden email]> a
écrit :

>
> Unifi APs always use a NAS-Port of 0 (instead of using a unique value) in
> all
> accounting packets. I've reported this to the vendor but haven't gotten any
> response so far.
>
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


Hello Hans-Christian ,

Do you have a public reference to this report ?

Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Hans-Christian Esperer
Hi Olivier,

On Thu, Jan 24, 2019 at 09:24:29AM +0100, Olivier wrote:
> Le ven. 2 nov. 2018 à 20:07, Hans-Christian Esperer <[hidden email]> a
> écrit :
[...]
> > Unifi APs always use a NAS-Port of 0 (instead of using a unique value) in
> > all
> > accounting packets. I've reported this to the vendor but haven't gotten any
> > response so far.
[...]
> Do you have a public reference to this report ?

No, I don't. I've opened a support ticket with them, got several inquiries but
never the feeling that they really cared. So far, I haven't heard back from
them and the issue is still not fixed in their latest stable firmware 4.15.

Perhaps someone else cares to report this again in their public forums?

HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Olivier
Le jeu. 24 janv. 2019 à 09:37, Hans-Christian Esperer <[hidden email]> a
écrit :

> Hi Olivier,
>
> On Thu, Jan 24, 2019 at 09:24:29AM +0100, Olivier wrote:
> > Le ven. 2 nov. 2018 à 20:07, Hans-Christian Esperer <[hidden email]> a
> > écrit :
> [...]
> > > Unifi APs always use a NAS-Port of 0 (instead of using a unique value)
> in
> > > all
> > > accounting packets. I've reported this to the vendor but haven't
> gotten any
> > > response so far.
> [...]
> > Do you have a public reference to this report ?
>
> No, I don't. I've opened a support ticket with them, got several inquiries
> but
> never the feeling that they really cared. So far, I haven't heard back from
> them and the issue is still not fixed in their latest stable firmware 4.15.
>
> Perhaps someone else cares to report this again in their public forums?
>
> HC
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


I volunteer  to help but certainly need a better understanding of this
specitic topic:
why is setting NAS-Port to 0 in accounting an issue, etc ...

The strange thing is that some wrote me in UBNT Unifi mailing they had
successfully implemented a Freeradius-based Simultaneous-Use control.
Either I misunderstood this assertion or their implementation still have
some rough edges or corner cases.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Hans-Christian Esperer
On Thu, Jan 24, 2019 at 06:30:06PM +0100, Olivier wrote:
> The strange thing is that some wrote me in UBNT Unifi mailing they had
> successfully implemented a Freeradius-based Simultaneous-Use control.

The NAS-Port needs to be unique only for radutmp. The SQL module doesn't have
this limitation.

-HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Olivier
Le ven. 25 janv. 2019 à 08:23, Hans-Christian Esperer <[hidden email]> a
écrit :

> On Thu, Jan 24, 2019 at 06:30:06PM +0100, Olivier wrote:
> > The strange thing is that some wrote me in UBNT Unifi mailing they had
> > successfully implemented a Freeradius-based Simultaneous-Use control.
>
> The NAS-Port needs to be unique only for radutmp. The SQL module doesn't
> have
> this limitation.
>

OK.

1. Should we say then that, in a Unifi wireless setup powered by an
SQL-enabled Freeradius accounting backend, simultaneous connection
control is correctly working or not (beside the issue this thread is about)
?

2. By any chance do we know if Unifi switches or Ubnt Edgeswitches
correctly set a unique NAS-Port value ? A positive answer would help to
convince
Ubnt to change current behaviour.


>
> -HC
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Hans-Christian Esperer
On Fri, Jan 25, 2019 at 10:30:03AM +0100, Olivier wrote:
> 1. Should we say then that, in a Unifi wireless setup powered by an
> SQL-enabled Freeradius accounting backend, simultaneous connection
> control is correctly working or not (beside the issue this thread is about)

I'd say it will work correctly insofar as the SQL backend is able to properly
keep track of currently logged in users regardless of the NAS-Port parameter in
the accounting packages, but I haven't tried it personally. I'm using radutmp
with Alan DeKoK's NAS-Port-username-hash-turned-into-an-integer hack.

For reference, that's how it's done:

        if (NAS-Port == 0) {
                update request {
                        Tmp-Octets-0 := "%{md5:%{User-Name}}"
                }

                update request {
                        NAS-Port := "%{unpack:&Tmp-Octets-0 1 integer}"
                }
        }

In all relevant sections.

A thing to keep in mind: When used in outer connections, the username is
controlled by the authenticating user (i.e., the outer identity, anonymous etc)
and thus the NAS-Port value should not be trusted, as it is also controlled by
the user.  (I.e., a user could erase all entries in the radutmp by causing many
collisions)

Probably better to just use the sql module :-)

> 2. By any chance do we know if Unifi switches or Ubnt Edgeswitches
> correctly set a unique NAS-Port value ? A positive answer would help to
> convince
> Ubnt to change current behaviour.

My "largest" setup consists of 3 Unifi AP AC Pro access points. I am not using
any other ubiquiti equipment so far, so I cannot say. Probably other people on
this list can answer this, though.

Cheers,
 HC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to Reject Anonymous Identity

Olivier
In reply to this post by Alan DeKok-2
On Nov 2, 2018, at 1:32 PM, Selahattin Cilek <[hidden email]>
> wrote:
> > some users can first log in on their Android phones and then
> > leave the laptop open, which tries to log in again and again and some
> > time later, somehow, are connected to the network. As if that is not
> > enough, I receive no accounting packets for the laptop.
>

Has UBNT been involved in this issue ?
Which controller version was in use ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html