Inner-tunnel user name in interim-update

Jouni Malinen j at w1.fi
Mon Feb 21 10:50:09 EST 2011


On Sat, Feb 19, 2011 at 01:16:42PM +0100, 1839 at uniurb.it wrote:
> I asked about the below on Freeradius list. Looks like it's a NAS problem.

Well, depends on who you ask... ;-)  If you ask people working with the
RADIUS server, they will likely point at the NAS and if you ask people
who work with the NAS, they will likely point at the RADIUS server..

RFC 2865 does not require RADIUS client to copy the User-Name from
Access-Accept to accounting messages (it is only a SHOULD, not MUST). As
such, it may be safer to implement this type of accounting using other
options available to the RADIUS server.

I would recommend using Class attribute (it is not really required to be
included in accounting messages either, but it may be more likely to get
there). One benefit of this attribute is in possibility to provide
better privacy protection since the used value can be used as a
temporary identifier for the real user identity without exposing it to
the NAS (or in a plaintext IP packet going through the network for that
matter).

> Would I have better luck with hostap ?

Yes, hostapd will update the User-Name based on Access-Accept message
and then use the new value for accounting messages. Similarly, Class
attribute(s) are copied to accounting messages.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list