Page tree
Skip to end of metadata
Go to start of metadata

1. FreeRADIUS CUI

To use the Chargeable-User-Identity (CUI) you must already use the Operator-Name attribute.

This documentation is only for FreeRADIUS 3.0.X release.

1.1. Freeradius CUI for eduroam SP

1.1.1. Create a log module

By default the CUI is not logged, you have to use the FreeRADIUS linelog module to get a log. In the mods-available/ subdirectory, create a new file "eduroam_cui_log" :

linelog cui_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "auth_log.%{%{reply:Packet-Type}:-format}"
    auth_log {
        Access-Accept = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#"
        Access-Reject = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#"
    }
}

1.1.2. Enable modules

cd mods-enabled; ln -s ../mods-available/eduroam_cui_log; ln -s ../mods-available/cui

1.1.3. Client definition

Force parameter 'add_cui' to 'yes' to all your connected clients :

client antarctica-access-point-1 {
...
    add_cui = yes
 }

1.1.4. Policy

Edit the default policy.d/cui file :

...
cui_hash_key = "changeme" 	# --> replace with a random string
							# if you use a secondary or backup FreeRADIUS server, use the same cui_hash_key
							# this allows you to keep the same CUI log even if the FreeRADIUS server change
cui_require_operator_name = "yes"
...

Others values doesn't need to be changed

1.1.5. Attributes

Edit mods-config/attr_filter/pre-proxy file, check that attributes Calling-Station-Id, Operator-Name and Chargeable-User-Identity are defined :

DEFAULT
...
        Calling-Station-Id =* ANY,
        Operator-Name =* ANY,
        Chargeable-User-Identity =* ANY,
...

Edit mods-config/attr_filter/post-proxy file, check that attributes User-Name and Chargeable-User-Identity are defined :

DEFAULT
...
        User-Name =* ANY,
        Chargeable-User-Identity =* ANY,
...

1.1.6. CUI filtering

Edit policy.d/filter, add a filter function 'cui_filter'. Simple example :

# Filter the Chargeable-User-Identity attribute
cui_filter {
  if (&reply:Chargeable-User-Identity =~ /REPLACE-WITH-CUI-TO-MATCH/) {
                        update request {
                                &Module-Failure-Message += "Rejected: CUI matching '%{reply:Chargeable-User-Identity}'"
                        }
                        reject
       }
}


1.1.7. Using policies and modules in your eduroam virtual server

Add 'cui' in authorize, post-auth and pre-proxy sections. Add 'cui_log' and 'cui_filter' in post-auth section :

server eduroam {
...
        authorize {
                # only use filter_username from version > 3.0.7 on
                filter_username
                update request {
                        Operator-Name := "1yourdomain.tld"
                        # the literal number "1" above is an important prefix! Do not change it!
                }
                cui
				# if you want detailed logging
                auth_log
                suffix
        }
...
        post-auth {
                # if you want detailed logging
                reply_log
				cui
				cui_filter
				cui_log
                Post-Auth-Type REJECT {
                        reply_log
						eduroam_log
                }
        }
...
        pre-proxy {
                pre_proxy_log
                cui
                if("%{Packet-Type}" != "Accounting-Request") {
                        attr_filter.pre-proxy
                }
        }
...
}




1.2. FreeRADIUS CUI for eduroam IdP


1.2.1. Modify the log module

Edit "eduroam_cui_log" file in the mods-available/ subdirectory and add those lines for your inner virtual server :

...
linelog cui_inner_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}"
    inner_auth_log {
        Access-Accept = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#"
        Access-Reject = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#"
    }
}


1.2.2. Using policy and module in your eduroam-inner-tunnel virtual server

Add 'cui-inner' (policy already defined, you don't have to change it) and 'cui_inner_log' in post-auth section :

server eduroam-inner-tunnel {
...
		post-auth {
				reply_log
				cui_inner_log
				cui-inner
				Post-Auth-Type REJECT {
					reply_log
					cui_inner_log
				}
		}
...
}



  • No labels