To use the Chargeable-User-Identity (CUI) you must already use the Operator-Name attribute.
This documentation is only for FreeRADIUS 3.0.X release.
By default the CUI is not logged, you have to use the FreeRADIUS linelog module to get a log. In the mods-available/ subdirectory, create a new file "eduroam_cui_log" :
linelog cui_log { # filename = syslog filename = ${logdir}/radius.log format = "" reference = "auth_log.%{%{reply:Packet-Type}:-format}" auth_log { Access-Accept = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{EAP-Message}:-No EAP Message}#RESULT=OK#" Access-Reject = "%t : eduroam-auth#ORG=%{request:Realm}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{reply:Chargeable-User-Identity}:-Unknown}#MSG=%{%{reply:Reply-Message}:-No Failure Reason}#RESULT=FAIL#" } } |
cd mods-enabled; ln -s ../mods-available/eduroam_cui_log; ln -s ../mods-available/cui |
Force parameter 'add_cui' to 'yes' to all your connected clients :
client antarctica-access-point-1 { ... add_cui = yes } |
Edit the default policy.d/cui file :
... cui_hash_key = "changeme" # --> replace with a random string # if you use a secondary or backup FreeRADIUS server, use the same cui_hash_key # this allows you to keep the same CUI log even if the FreeRADIUS server change cui_require_operator_name = "yes" ... |
Others values doesn't need to be changed
Edit mods-config/attr_filter/pre-proxy file, check that attributes Calling-Station-Id, Operator-Name and Chargeable-User-Identity are defined :
DEFAULT ... Calling-Station-Id =* ANY, Operator-Name =* ANY, Chargeable-User-Identity =* ANY, ... |
Edit mods-config/attr_filter/post-proxy file, check that attributes User-Name and Chargeable-User-Identity are defined :
DEFAULT ... User-Name =* ANY, Chargeable-User-Identity =* ANY, ... |
Edit policy.d/filter, add a filter function 'cui_filter'. Simple example :
# Filter the Chargeable-User-Identity attribute cui_filter { if (&reply:Chargeable-User-Identity =~ /REPLACE-WITH-CUI-TO-MATCH/) { update request { &Module-Failure-Message += "Rejected: CUI matching '%{reply:Chargeable-User-Identity}'" } reject } } |
Add 'cui' in authorize, post-auth and pre-proxy sections. Add 'cui_log' and 'cui_filter' in post-auth section :
server eduroam { ... authorize { # only use filter_username from version > 3.0.7 on filter_username update request { Operator-Name := "1yourdomain.tld" # the literal number "1" above is an important prefix! Do not change it! } cui # if you want detailed logging auth_log suffix } ... post-auth { # if you want detailed logging reply_log cui cui_filter cui_log Post-Auth-Type REJECT { reply_log eduroam_log } } ... pre-proxy { pre_proxy_log cui if("%{Packet-Type}" != "Accounting-Request") { attr_filter.pre-proxy } } ... } |
Edit "eduroam_cui_log" file in the mods-available/ subdirectory and add those lines for your inner virtual server :
... linelog cui_inner_log { # filename = syslog filename = ${logdir}/radius.log format = "" reference = "inner_auth_log.%{%{reply:Packet-Type}:-format}" inner_auth_log { Access-Accept = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=OK#" Access-Reject = "%t : eduroam-inner-auth#VISINST=%{request:Operator-Name}#USER=%{User-Name}#CSI=%{%{Calling-Station-Id}:-Unknown Caller Id}#NAS=%{%{Called-Station-Id}:-Unknown Access Point}#CUI=%{%{%{reply:Chargeable-User-Identity}:-%{outer.reply:Chargeable-User-Identity}}:-Local User}#RESULT=FAIL#" } } |
Add 'cui-inner' (policy already defined, you don't have to change it) and 'cui_inner_log' in post-auth section :
server eduroam-inner-tunnel { ... post-auth { reply_log cui_inner_log cui-inner Post-Auth-Type REJECT { reply_log cui_inner_log } } ... } |