[RADIATOR] Inner and outer authentication
Hello While storing the accounting information of a TTLS authentication I noticed that the login name being stored is the outer one and the inner authentication (the real one) is missing in the accounting. Is there a way to get my accounting filled up with the inner login and not with the outer login? Best regards, Nuno Marques Here's some of the code that I'm using: Identifier PessoalAlunos Hostubi.pt Port3268 EAPType PEAP, TTLS, TLS EAPTLS_CAFile /etc/radiator/certificate.pem EAPTLS_CertificateFile /etc/radiator/certificate.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/key.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000 AutoMPPEKeys SSLeayTrace 4 AuthDN cn=ldap,cn=Users,dc=ubi,dc=pt AuthPasswordrt78mn!" BaseDN dc=ubi,dc=pt Scope sub UsernameAttrcn ServerChecksPassword AuthByPolicy ContinueAlways AuthBy SQLAccounting RewriteUsername s/^([^@]+).*/$1/ AuthLog localusers AcctLogFileName %L/%Y-%m-local-detail AuthBy PessoalAlunos AuthByPolicy ContinueAlways AuthBy SQLAccounting AuthLog localusers AcctLogFileName %L/%Y-%m-local-detail AuthBy PessoalAlunos UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo que o fazer. As árvores são um bem imprescindível. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] (Radiator) Filtering log Message
Following up myself with one more option: The patches for 4.9 now has support for defining Filename in AuthLog FILE similarly to Filename in Log FILE. That is, | (pipe) character can be specified to support this: # Pipe to my-log-prog Filename |/usr/local/bin/my-log-prog See e.g., section "5.13.1 Filename" for more about using pipes. Heikki On 02/23/2012 12:04 AM, Heikki Vatiainen wrote: > On 02/22/2012 01:25 PM, G.N. wrote: > >> i would like to know if is possible to filter Authlog entry, logging all >> except access from certain username. > > Unfortunately that is not possible. > >> Here my AuthLog conf >> >> >> Identifier tL >> Filename %L/Auth >> LogSuccess 1 >> LogFailure 0 >> SuccessFormat %d-%m-%Y %H:%M:%S,%U,%{NAS-Identifier},%N >> > > There are a couple of possibilities: > 1. Use a script, based on grep or something similar, to filter > everything else except of the usernames you are interested in. > > 2. You could experiment with a named pipe > http://en.wikipedia.org/wiki/Named_pipe > > Create a named pipe with mkfifo command and create a process that reads > the named fifo. For example: > > % while :; do cat Auth|grep -v hvn ; done > > This will print out only LogSuccess lines that do not contain 'hvn'. The > while loop is needed because radiusd closes the file after each write. > > Note that possibility 1 is the best especially if you are not familiar > with handling named pipes. For example, you should watch file > permissions and keep the reader process running all the time or radiusd > will block waiting for the reader. > > Thanks! > Heikki > > >> Thank's. >> >> G. >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Inner and outer authentication
On 02/23/2012 11:59 AM, Nuno Marques wrote: Hello Nuno, > While storing the accounting information of a TTLS authentication I noticed > that the login name being stored is the outer one and the inner > authentication (the real one) is missing in the accounting. > Is there a way to get my accounting filled up with the inner login and not > with the outer login? Try adding adding 'AddToReply User-Name=%y' in PessoalAlunos AuthBy (the inner AuthBy). The username should then be returned with Access-Accept to the NAS. The NAS should then use it as User-Name for the accounting requests. See this for more: http://tools.ietf.org/html/rfc2865#section-5.1 Note that this exposes the real username which TTLS hides. If this is not acceptable, see goodies/eap_anon_hook.pl for another alternative. Heikki > Best regards, > Nuno Marques > > Here's some of the code that I'm using: > > > Identifier PessoalAlunos > Hostubi.pt > Port3268 > EAPType PEAP, TTLS, TLS > EAPTLS_CAFile /etc/radiator/certificate.pem > EAPTLS_CertificateFile /etc/radiator/certificate.pem > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile /etc/radiator/key.pem > EAPTLS_PrivateKeyPassword whatever > EAPTLS_MaxFragmentSize 1000 > AutoMPPEKeys > SSLeayTrace 4 > AuthDN cn=ldap,cn=Users,dc=ubi,dc=pt > AuthPasswordrt78mn!" > BaseDN dc=ubi,dc=pt > Scope sub > UsernameAttrcn > ServerChecksPassword > > > > AuthByPolicy ContinueAlways > AuthBy SQLAccounting > RewriteUsername s/^([^@]+).*/$1/ > AuthLog localusers > AcctLogFileName %L/%Y-%m-local-detail > AuthBy PessoalAlunos > > > > AuthByPolicy ContinueAlways > AuthBy SQLAccounting > AuthLog localusers > AcctLogFileName %L/%Y-%m-local-detail > AuthBy PessoalAlunos > > > > > > UBI amiga do ambiente: Antes de imprimir este e-mail pense bem se tem mesmo > que o fazer. As árvores são um bem imprescindível. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator