[RADIATOR] Inner and outer authentication

2012-02-23 Thread Nuno Marques
Hello

While storing the accounting information of a TTLS authentication I noticed
that the login name being stored is the outer one and the inner
authentication (the real one) is missing in the accounting.
Is there a way to get my accounting filled up with the inner login and not
with the outer login?

Best regards,
Nuno Marques

Here's some of the code that I'm using:


Identifier  PessoalAlunos
Hostubi.pt
Port3268
EAPType PEAP, TTLS, TLS
EAPTLS_CAFile /etc/radiator/certificate.pem
EAPTLS_CertificateFile /etc/radiator/certificate.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/radiator/key.pem
EAPTLS_PrivateKeyPassword whatever
EAPTLS_MaxFragmentSize 1000
AutoMPPEKeys
SSLeayTrace 4
AuthDN  cn=ldap,cn=Users,dc=ubi,dc=pt
AuthPasswordrt78mn!"
BaseDN  dc=ubi,dc=pt
Scope   sub
UsernameAttrcn
ServerChecksPassword



AuthByPolicy ContinueAlways
AuthBy SQLAccounting
RewriteUsername s/^([^@]+).*/$1/
AuthLog localusers
AcctLogFileName %L/%Y-%m-local-detail
AuthBy PessoalAlunos



AuthByPolicy ContinueAlways
AuthBy SQLAccounting
AuthLog localusers
AcctLogFileName %L/%Y-%m-local-detail
AuthBy PessoalAlunos





UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que 
o fazer. As árvores são um bem imprescindível.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] (Radiator) Filtering log Message

2012-02-23 Thread Heikki Vatiainen
Following up myself with one more option:

The patches for 4.9 now has support for defining Filename in AuthLog
FILE similarly to Filename in Log FILE. That is, | (pipe) character can
be specified to support this:

 # Pipe to my-log-prog
 Filename |/usr/local/bin/my-log-prog

See e.g., section "5.13.1 Filename" for more about using pipes.

Heikki


On 02/23/2012 12:04 AM, Heikki Vatiainen wrote:

> On 02/22/2012 01:25 PM, G.N. wrote:
> 
>> i would like to know if is possible to filter Authlog entry, logging all 
>> except access from certain username.
> 
> Unfortunately that is not possible.
> 
>> Here my AuthLog conf
>>
>> 
>> Identifier tL
>> Filename %L/Auth
>> LogSuccess 1
>> LogFailure 0
>> SuccessFormat %d-%m-%Y %H:%M:%S,%U,%{NAS-Identifier},%N
>> 
> 
> There are a couple of possibilities:
> 1. Use a script, based on grep or something similar, to filter
> everything else except of the usernames you are interested in.
> 
> 2. You could experiment with a named pipe
> http://en.wikipedia.org/wiki/Named_pipe
> 
> Create a named pipe with mkfifo command and create a process that reads
> the named fifo. For example:
> 
> % while :; do cat Auth|grep -v hvn ; done
> 
> This will print out only LogSuccess lines that do not contain 'hvn'. The
> while loop is needed because radiusd closes the file after each write.
> 
> Note that possibility 1 is the best especially if you are not familiar
> with handling named pipes. For example, you should watch file
> permissions and keep the reader process running all the time or radiusd
> will block waiting for the reader.
> 
> Thanks!
> Heikki
> 
> 
>> Thank's.
>>
>> G.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] Inner and outer authentication

2012-02-23 Thread Heikki Vatiainen
On 02/23/2012 11:59 AM, Nuno Marques wrote:

Hello Nuno,

> While storing the accounting information of a TTLS authentication I noticed
> that the login name being stored is the outer one and the inner
> authentication (the real one) is missing in the accounting.
> Is there a way to get my accounting filled up with the inner login and not
> with the outer login?

Try adding adding 'AddToReply User-Name=%y' in PessoalAlunos AuthBy (the
inner AuthBy). The username should then be returned with Access-Accept
to the NAS. The NAS should then use it as User-Name for the accounting
requests. See this for more:

http://tools.ietf.org/html/rfc2865#section-5.1

Note that this exposes the real username which TTLS hides. If this is
not acceptable, see goodies/eap_anon_hook.pl for another alternative.

Heikki


> Best regards,
> Nuno Marques
> 
> Here's some of the code that I'm using:
> 
> 
> Identifier  PessoalAlunos
> Hostubi.pt
> Port3268
> EAPType PEAP, TTLS, TLS
> EAPTLS_CAFile /etc/radiator/certificate.pem
> EAPTLS_CertificateFile /etc/radiator/certificate.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radiator/key.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> SSLeayTrace 4
> AuthDN  cn=ldap,cn=Users,dc=ubi,dc=pt
> AuthPasswordrt78mn!"
> BaseDN  dc=ubi,dc=pt
> Scope   sub
> UsernameAttrcn
> ServerChecksPassword
> 
> 
> 
> AuthByPolicy ContinueAlways
> AuthBy SQLAccounting
> RewriteUsername s/^([^@]+).*/$1/
> AuthLog localusers
> AcctLogFileName %L/%Y-%m-local-detail
> AuthBy PessoalAlunos
> 
> 
> 
> AuthByPolicy ContinueAlways
> AuthBy SQLAccounting
> AuthLog localusers
> AcctLogFileName %L/%Y-%m-local-detail
> AuthBy PessoalAlunos
> 
> 
> 
> 
> 
> UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo 
> que o fazer. As árvores são um bem imprescindível.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator