Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

FreeRADIUS CUI

To use the Chargeable-User-Identity (CUI) you must already use the Operator-Name attribute.

This documentation is only for FreeRADIUS 3.0.X release.

Freeradius CUI for eduroam SP

Create a log module

By default the CUI is not logged, you have to use the FreeRADIUS linelog module to get a log. In the mods-available/ subdirectory, create a new file "eduroam_cui_log" :

Code Block
linelog cui_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "auth_log.%{%{reply:Packet-Type}:-format}"
    auth_log {
        Access-Accept = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#"
        Access-Reject = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#"
    }
}


Enable modules

Code Block
cd mods-enabled; ln -s ../mods-available/eduroam_cui_log; ln -s ../mods-available/cui

Client definition

Force parameter 'add_cui' to 'yes' to all your connected clients :

Code Block
client antarctica-access-point-1 {
...
    add_cui = yes
 }


Policy

Edit the default policy.d/cui file :

Code Block
...
cui_hash_key = "changeme" 	# --> replace with a random string
							# if you use a secondary or backup FreeRADIUS server, use the same cui_hash_key
							# this allows you to keep the same CUI log even if the FreeRADIUS server change
cui_require_operator_name = "yes"
...

Others values doesn't need to be changed


Attributes

Edit mods-config/attr_filter/pre-proxy file, check that attributes Calling-Station-Id, Operator-Name and Chargeable-User-Identity are defined :

Code Block
DEFAULT
...
        Calling-Station-Id =* ANY,
        Operator-Name =* ANY,
        Chargeable-User-Identity =* ANY,
...


Edit mods-config/attr_filter/post-proxy file, check that attributes User-Name and Chargeable-User-Identity are defined :

Code Block
DEFAULT
...
        User-Name =* ANY,
        Chargeable-User-Identity =* ANY,
...


CUI filtering

Edit policy.d/filter, add a filter function 'cui_filter'. Simple example :

Code Block
# Filter the Chargeable-User-Identity attribute
cui_filter {
  if (&reply:Chargeable-User-Identity =~ /REPLACE-WITH-CUI-TO-MATCH/) {
                        update request {
                                &Module-Failure-Message += "Rejected: CUI matching '%{reply:Chargeable-User-Identity}'"
                        }
                        reject
       }
}


Using policies and modules in your eduroam virtual server

Add 'cui' in authorize, post-auth and pre-proxy sections. Add 'cui_log' and 'cui_filter' in post-auth section :

Code Block
server eduroam {
...
        authorize {
                # only use filter_username from version > 3.0.7 on
                filter_username
                update request {
                        Operator-Name := "1yourdomain.tld"
                        # the literal number "1" above is an important prefix! Do not change it!
                }
                cui
				# if you want detailed logging
                auth_log
                suffix
        }
...
        post-auth {
                # if you want detailed logging
                reply_log
				cui
				cui_filter
				cui_log
                Post-Auth-Type REJECT {
                        reply_log
						eduroam_log
                }
        }
...
        pre-proxy {
                pre_proxy_log
                cui
                if("%{Packet-Type}" != "Accounting-Request") {
                        attr_filter.pre-proxy
                }
        }
...
}




FreeRADIUS CUI for eduroam IdP


Modify the log module

Edit "eduroam_cui_log" file in the mods-available/ subdirectory and add those lines for your inner virtual server :

Code Block
...
linelog cui_inner_log {
#    filename = syslog
    filename = ${logdir}/radius.log
    format = ""
    reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}"
    inner_auth_log {
        Access-Accept = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#"
        Access-Reject = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#"
    }
}


Using policy and module in your eduroam-inner-tunnel virtual server

Add 'cui-inner' (policy already defined, you don't have to change it) and 'cui_inner_log' in post-auth section :

Code Block
server eduroam-inner-tunnel {
...
		post-auth {
				reply_log
				cui_inner_log
				cui-inner
				Post-Auth-Type REJECT {
					reply_log
					cui_inner_log
				}
		}
...
}