On 02/23/2012 11:59 AM, Nuno Marques wrote: Hello Nuno,
> While storing the accounting information of a TTLS authentication I noticed > that the login name being stored is the outer one and the inner > authentication (the real one) is missing in the accounting. > Is there a way to get my accounting filled up with the inner login and not > with the outer login? Try adding adding 'AddToReply User-Name=%y' in PessoalAlunos AuthBy (the inner AuthBy). The username should then be returned with Access-Accept to the NAS. The NAS should then use it as User-Name for the accounting requests. See this for more: http://tools.ietf.org/html/rfc2865#section-5.1 Note that this exposes the real username which TTLS hides. If this is not acceptable, see goodies/eap_anon_hook.pl for another alternative. Heikki > Best regards, > Nuno Marques > > Here's some of the code that I'm using: > > <AuthBy LDAP2> > Identifier PessoalAlunos > Host ubi.pt > Port 3268 > EAPType PEAP, TTLS, TLS > EAPTLS_CAFile /etc/radiator/certificate.pem > EAPTLS_CertificateFile /etc/radiator/certificate.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile /etc/radiator/key.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > SSLeayTrace 4 > AuthDN cn=ldap,cn=Users,dc=ubi,dc=pt > AuthPassword rt78mn!" > BaseDN dc=ubi,dc=pt > Scope sub > UsernameAttr cn > ServerChecksPassword > </AuthBy> > > <Handler Realm=/pessoal.ubi.pt/i, TunnelledByTTLS=1> > AuthByPolicy ContinueAlways > AuthBy SQLAccounting > RewriteUsername s/^([^@]+).*/$1/ > AuthLog localusers > AcctLogFileName %L/%Y-%m-local-detail > AuthBy PessoalAlunos > </Handler> > > <Handler Realm=/pessoal.ubi.pt/i> > AuthByPolicy ContinueAlways > AuthBy SQLAccounting > AuthLog localusers > AcctLogFileName %L/%Y-%m-local-detail > AuthBy PessoalAlunos > </Handler> > > > ________________________________ > > UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo > que o fazer. As árvores são um bem imprescindível. > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
