Discussion:
FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
(too old to reply)
Thorsten Fritsch
2018-11-19 15:05:59 UTC
Permalink
Hi guys,

we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).

Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
We have set this setting to yes in our config:

ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}

peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}

Thanks for your help.

Cheers,
Thorsten

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
Alex Perez-Mendez
2018-11-20 15:36:19 UTC
Permalink
Hi Thorsten,

We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.

We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30

If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.

Best regards,
Alejandro
Post by Thorsten Fritsch
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
Thanks for your help.
Cheers,
Thorsten
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.or
Thorsten Fritsch
2018-11-22 15:02:38 UTC
Permalink
Hi Alejandro,

thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
from FR to the NAS and the NAS in turn requests accounting for the outer ID instead of the inner ID it’s supposed to:

Access Accept from FR to NAS:
(22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Type = VLAN
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Medium-Type = IEEE-802
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Private-Group-Id = "822"
(22) Tue Nov 20 16:51:07 2018: Debug: User-Name := "***@unibas.ch<mailto:***@unibas.ch>"
(22) Tue Nov 20 16:51:07 2018: Debug: Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
(22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
(22) Tue Nov 20 16:51:07 2018: Debug: EAP-Message = 0x030b0004
(22) Tue Nov 20 16:51:07 2018: Debug: Message-Authenticator = 0x00000000000000000000000000

Accounting Request from NAS to FR Port 1813 (Accounting Server):
(11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
(11) Tue Nov 20 11:23:28 2018: Debug: User-Name = "***@unibas.ch<mailto:***@unibas.ch>"
(11) Tue Nov 20 11:23:28 2018: Debug: Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(11) Tue Nov 20 11:23:28 2018: Debug: NAS-Port = 8
(11) Tue Nov 20 11:23:28 2018: Debug: NAS-IP-Address = 10.33.6.2
(11) Tue Nov 20 11:23:28 2018: Debug: Framed-IP-Address = 10.172.40.114

It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.

Thanks,
Thorsten


From: Alejandro Perez-Mendez [via FreeRADIUS] <ml+***@n5.nabble.com>
Sent: Tuesday, 20 November 2018 16:38
To: Thorsten Fritsch <***@unibas.ch>
Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username

Hi Thorsten,

We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.

We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30

If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.

Best regards,
Alejandro
Post by Thorsten Fritsch
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
Thanks for your help.
Cheers,
Thorsten
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe
Alex Perez-Mendez
2018-11-22 17:19:03 UTC
Permalink
Hi Thorsten,

I did not know you migrated from 2.x to 3.x. Sure there will plenty of
changes, not only related to these ones. In any case, have you noticed
this excerpt in the inner_tunnel file?

    #
    #  Instead of "use_tunneled_reply", change this "if (0)" to an
    #  "if (1)".
    #
    if (0) {
        #
        #  These attributes are for the inner-tunnel only,
        #  and MUST NOT be copied to the outer reply.
        #
        update reply {
            User-Name !* ANY
            Message-Authenticator !* ANY
            EAP-Message !* ANY
            Proxy-State !* ANY
            MS-MPPE-Encryption-Types !* ANY
            MS-MPPE-Encryption-Policy !* ANY
            MS-MPPE-Send-Key !* ANY
            MS-MPPE-Recv-Key !* ANY
        }

        #
        #  Copy the inner reply attributes to the outer
        #  session-state list.  The post-auth policy will take
        #  care of copying the outer session-state list to the
        #  outer reply.
        #
        update {
            &outer.session-state: += &reply:
        }
    }

Just switch that (0) to (1) and comment the line regarding User-Name.
Also, add

        update reply {
             User-Name := &request:User-Name
        }

to the beginning of the post-auth section in that file.

Regards,
Alejandro
Post by Thorsten Fritsch
Hi Alejandro,
thanks very much. Unfortunately in our case only the Outer Identity is included in the Access Accept
(22) Tue Nov 20 16:51:07 2018: Debug: Sent Access-Accept Id 16 from 131.152.21.102:1812 to 10.33.6.2:47901 length 0
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Type = VLAN
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Medium-Type = IEEE-802
(22) Tue Nov 20 16:51:07 2018: Debug: Tunnel-Private-Group-Id = "822"
(22) Tue Nov 20 16:51:07 2018: Debug: Chargeable-User-Identity := 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Recv-Key = 0x36785f7c835847b8f8b19bd771144a9b1484e34ad90f094484152b53ab88a5ee
(22) Tue Nov 20 16:51:07 2018: Debug: MS-MPPE-Send-Key = 0x04d8aef1be7ce80b6f7eb382d782d6227924a40379be4e9725254878108bd96d
(22) Tue Nov 20 16:51:07 2018: Debug: EAP-Message = 0x030b0004
(22) Tue Nov 20 16:51:07 2018: Debug: Message-Authenticator = 0x00000000000000000000000000
(11) Tue Nov 20 11:23:28 2018: Debug: Received Accounting-Request Id 247 from 10.33.6.2:47901 to 131.152.21.102:1813 length 551
(11) Tue Nov 20 11:23:28 2018: Debug: Chargeable-User-Identity = 0x64323132363438353066316665356233653031353835333765373737343136613730366530343436
(11) Tue Nov 20 11:23:28 2018: Debug: NAS-Port = 8
(11) Tue Nov 20 11:23:28 2018: Debug: NAS-IP-Address = 10.33.6.2
(11) Tue Nov 20 11:23:28 2018: Debug: Framed-IP-Address = 10.172.40.114
It’s weird cause it used to work fine for a long time and we assume something has change in FR 3.x over 2.x regarding this behavior but don’t know for sure.
Thanks,
Thorsten
Sent: Tuesday, 20 November 2018 16:38
Subject: Re: FreeRadius 3.0.17 - outer tunnel username in accounting logs instead of inner tunnel username
Hi Thorsten,
We found a similar issues where User-Name was being duplicate, having
both, inner and outer values.
That made that some NAS were taking the outer one since it appeared first.
We pushed a fix upstream
https://github.com/FreeRADIUS/freeradius-server/pull/2297/commits/ad3791dc84200de9d2a37a9d31b87eaaca70a75e#diff-fabb0758705436cfa7405398e3f62e30
If your issue is the same, you just need to backport that change to your
"default" site and check whether it fixes it.
Best regards,
Alejandro
Post by Thorsten Fritsch
Hi guys,
we have recently upgraded our FreeRadius to release 3.0.17 and are now facing the issue that the accounting logs
seem to contain the username provided in the anonymous (outer) identity field instead of the username used for the inner tunnel. This makes it
hard to identify our eduroam users (user tracking).
Has something changed in FreeRadius 3.x regarding thise behavior ? In my understanding the Radius server should provide the inner tunnel username to the NAS (in our
case Cisco WLAN Controller) by parameter use_tunneled_reply = yes in the eap file under /mods-enabled which the NAS can then in turn provide to the Accounting server is that correct ?
ttls {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
Thanks for your help.
Cheers,
Thorsten
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________
http://freeradius.1045715.n5.nabble.com/FreeRadius-3-0-17-outer-tunnel-username-in-accounting-logs-instead-of-inner-tunnel-username-tp5752645p5752719.html
To unsubscribe from Users, click here<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=2740693&code=dGhvcnN0ZW4uZnJpdHNjaEB1bmliYXMuY2h8Mjc0MDY5M3w1ODEyOTcyNzM=>.
NAML<http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alejandro Perez-Mendez
Technical Specialist (AAA), Trust & Identity
M (+34) 619 333 219
Skype alejandro_perez_mendez
jisc.ac.uk


-
List info/subscribe/unsubscribe? See htt
Martin Pauly
2018-11-23 12:19:32 UTC
Permalink
Hi Thorsten,
Post by Alex Perez-Mendez
update {
update reply {
User-Name := &request:User-Name
we've had these settings since we started FR 3.0, but the problem persisted nevertheless
(not all records were affected, though).

A software upgrade on the Cisco Wireless controllers (e.g AIR-CT5520-K9)
to Version 8.3.143.0 finally did the trick. The NAS has to comply, too, of course.
But I suppose in your case it was OK before the RADIUS switch,
so the Wireless controller is not the first component to look at.

Cheers, Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: ***@HRZ.Uni-Marburg.DE
D-35032 Marburg
Loading...