accounting 'detail' file and EAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

accounting 'detail' file and EAP

Kris Benson
Hi all,

So I have FreeRadius set up (and working) to authenticate off an LDAP
installation.  Everything is great.

I even have EAP-TTLS/PAP working, so I don't have to store the plaintext
passwords.

I just have one problem now: accounting data.  Since I'm using TTLS, the
User-Name field is not the authenticated one, and is simply whatever the
user chose to put in for the outside-the-tunnel username.

Has anyone come up with a way to either A) ensure the outside username
matches the inside one (guaranteeing the outside one isn't falsified) or
B) log the accounting details with the tunnel information?

Any help would be appreciated -- thanks in advance.




-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: accounting 'detail' file and EAP

Alan DeKok
"Kris Benson" <[hidden email]> wrote:
> Has anyone come up with a way to either A) ensure the outside username
> matches the inside one (guaranteeing the outside one isn't falsified) or
> B) log the accounting details with the tunnel information?

  Use the "class" attribute.  Set it to some value inside of the
tunnel, and set "use_tunneled_reply=yes".  You will then see it come
back in accounting packets outside of the tunnel.

  You will need to log the *inner* tunnel username & Class attribute,
to tie those two together, too.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html