1 diff -Naur freeradius-server-2.2.0-orig/doc/cui_howto.txt freeradius-server-2.2.0/doc/cui_howto.txt
2 --- freeradius-server-2.2.0-orig/doc/cui_howto.txt 1970-01-01 01:00:00.000000000 +0100
3 +++ freeradius-server-2.2.0/doc/cui_howto.txt 2012-09-13 10:57:56.645722777 +0200
5 +Chargeable-User-Identity (CUI) support.
9 +This extension introduces support for Chargeable-User-Identity (CUI) attribute
10 +as defined in RFC 4372.
12 +The CUI attribute is meant to support roaming scenarios where
13 +the user is accessing the network at one location (Service Provider - SP)
14 +while authenticated by a RADIUS server at another institution (Identity
15 +Provider - IdP). CUI provides means for the SP to request the IdP
16 +to return a unique, persistent, opaque user identifier.
18 +As defined in RFC 4372, CUI request is sent as a NULL value (single
19 +zero byte) of CUI attribute inside the Access-Request packet.
20 +CUI response should be sent as the CUI value inside the Access-Accept.
22 +This extension has the following functionality:
24 +The SP side (*requesting* CUI):
25 + - add the CUI NULL attribute to Access-Request proxied from
26 + the local NAS to the IdP
27 + - receive the CUI value from the IdP and store it in the local
29 + - update Accounting-Request packets sent by NAS by adding
30 + the appropriate CUI attribute (unless the attibute is
33 +The IdP side (*returning* CUI):
34 + - respond to the CUI request by generating the CUI value.
35 + The value is created as the md5 hash if a configurable local
36 + salt and the User-Name attribute value.
38 +While CUI support has been added for roaming it is also useful for local
43 +The CUI *requesting* and CUI *returning* sides are implemented and
44 +described separately. Most likely you want to run both, so just follow
45 +the instructions of both sections.
49 + - Setup a MySQL database by creating (or using) a database of your
50 + choice and create an additional table cui. The schema is located
51 + in ${raddbdir}/sql/mysql/cui.sql.
53 + - Enter the necessary details into ${raddbdir}/modules/cui.
54 + Things you need to modify are:
55 + server - typically this will be localhost;
56 + login - mysql user allowed to modify the tables
57 + password - password for this user
58 + radius_db - database name you wish to use
60 + - Modify the the main configuration file
61 + "${raddbdir}/sites-availabe/default".
62 + Search for CUI. There are four sections where CUI is mentioned.
63 + Follow the instructions for *requesting* the CUI.
67 + - Modify the the main configuration file
68 + "${raddbdir}/sites-available/default".
69 + Search for CUI. There are four sections where CUI is mentioned.
70 + Follow the instructions for *returning* the CUI.
71 + The cui_hash_key is used to safeguard the CUI from dictionary
72 + attacks and should be set to some "random" string.
74 + - Modify "${raddbdir}/sites-availabe/inner-tunnel"
75 + Search for CUI. There is one section where CUI is mentioned.
76 + Follow the instructions for *returning* the CUI.
80 +Authors: Maja Gorecka-Wolniewicz <mgw@umk.pl>, Alan DeKok
82 +Contributors: Stefan Winter, Tomasz Wolniewicz
83 diff -Naur freeradius-server-2.2.0-orig/raddb/modules/cui freeradius-server-2.2.0/raddb/modules/cui
84 --- freeradius-server-2.2.0-orig/raddb/modules/cui 2012-09-10 13:51:34.000000000 +0200
85 +++ freeradius-server-2.2.0/raddb/modules/cui 2012-09-13 10:58:19.975050772 +0200
87 connect_failure_retry_delay = 60
89 sql_user_name = "%{User-Name}"
90 -#$INCLUDE sql/${database}/cui.conf
91 + $INCLUDE sql/${database}/cui.conf
93 diff -Naur freeradius-server-2.2.0-orig/raddb/policy.conf freeradius-server-2.2.0/raddb/policy.conf
94 --- freeradius-server-2.2.0-orig/raddb/policy.conf 2012-09-10 13:51:34.000000000 +0200
95 +++ freeradius-server-2.2.0/raddb/policy.conf 2012-09-13 11:00:40.929563217 +0200
101 - # The following policies are for the Chargeable-User-Identity
102 - # (CUI) configuration.
104 + # The following policies are for the Operator-Name handling
108 + if (Packet-Type == Access-Request) {
110 + Operator-Name := "%{config:sp_operator_name}"
111 + Chargeable-User-Identity = '\\000'
117 + # The following policies are for the Chargeable-User-Identity
118 + # (CUI) configuration. See doc/cui_howto.txt for more information.
122 - # The client indicates it can do CUI by sending a CUI attribute
123 - # containing one zero byte
124 + # The client requests the CUI by sending a CUI attribute
125 + # containing one zero byte.
129 - Chargeable-User-Identity:='\\000'
131 + if (Packet-Type == Access-Request) {
132 + update proxy-request {
133 + Chargeable-User-Identity = '\\000'
139 - # Add a CUI attribute based on the User-Name, and a secret key
140 - # known only to this server.
141 + # Add a CUI attribute based on the User-Name, and a secret key
142 + # known only to this server.
145 - if (FreeRadius-Proxied-To == 127.0.0.1) {
146 - if (outer.request:Chargeable-User-Identity) {
147 - update outer.reply {
148 - Chargeable-User-Identity:="%{md5:%{config:cui_hash_key}%{User-Name}}"
149 + if (FreeRadius-Proxied-To == "127.0.0.1") {
151 + # Add the CUI to Access-Accept, but only if the CUI
152 + # was set in the request.
154 + if (outer.request:Chargeable-User-Identity && (outer.request:Operator-Name) || !("%{config:cui_require_operator_name}") ) {
156 + Chargeable-User-Identity := "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{outer.request:Operator-Name}:-}}"
161 - if (Chargeable-User-Identity) {
163 + # If the CUI was set in the request and the CUI reply
164 + # is not already set by inner auth, add it to
167 + if (!("%{control:Proxy-To-Realm}") && \
168 + (Chargeable-User-Identity) && \
169 + !(reply:Chargeable-User-Identity) && \
170 + ( (Operator-Name) || ! ("%{config:cui_require_operator_name}") ) ) {
172 - Chargeable-User-Identity="%{md5:%{config:cui_hash_key}%{User-Name}}"
173 + Chargeable-User-Identity = "%{md5:%{config:cui_hash_key}%{request:User-Name}%{%{Operator-Name}:-}}"
180 - # If there is a CUI attribute in the reply, add it to the DB.
181 + # If there is a CUI attribute in the reply, add it to the DB.
184 - if (reply:Chargeable-User-Identity) {
185 + if ("%{reply:Chargeable-User-Identity}") {
191 - # If we had stored a CUI for the User, add it to the request.
192 + # If we had stored a CUI for the User, add it to the request.
196 @@ -199,20 +226,22 @@
199 if (!Chargeable-User-Identity) {
201 - Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
203 + Chargeable-User-Identity = "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}"
208 - # If it exists now, then write out when we last saw
210 + # If it exists now, then update request and write out
211 + # when we last saw this CUI.
213 - if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) {
214 + if (control:Chargeable-User-Identity && \
215 + (control:Chargeable-User-Identity != "")) {
217 + Chargeable-User-Identity := "%{control:Chargeable-User-Identity}"
224 # Normalize the MAC Addresses in the Calling/Called-Station-Id
226 diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/default freeradius-server-2.2.0/raddb/sites-available/default
227 --- freeradius-server-2.2.0-orig/raddb/sites-available/default 2012-09-10 13:51:34.000000000 +0200
228 +++ freeradius-server-2.2.0/raddb/sites-available/default 2012-09-13 11:04:54.939298452 +0200
230 +# If *returning* the CUI, set cui_hash_key to some random string
231 +# and uncomment the line below
232 +# cui_hash_key = "some secret value"
233 +# If *returning* the CUI and the Operator-Name attribute in request is
234 +# required, uncomment the line below
235 +# cui_require_operator_name = yes
236 +# If Operator-Name attribute is used, uncomment the line below and
237 +# fill out with one of your registered DNS domain names, which
238 +# will be used as the Operator-Name attribute value
239 +# sp_operator_name = "1your.registered.domain.name"
240 ######################################################################
242 # As of 2.0.0, FreeRADIUS supports virtual hosts using the
244 # Accounting. Log the accounting data.
247 + # cui_accounting reads the record form the temporary database,
248 + # selects the corresponding CUI value, as set cui_updatedb
249 + # and adds the CUI attribute to the accounting request
250 + # uncomment the line below if *requesting* the CUI
253 # Create a 'detail'ed log of the packets.
254 # Note that accounting requests which are proxied
256 # Once we KNOW that the user has been authenticated, there are
257 # additional steps we can take.
259 + # cui_postauth reacts to the Chargeable-User-Identity request
260 + # by adding the md5 hash created from a configurable local
261 + # salt (cui_hash_key) and the (inner) User-Name value
262 + # uncomment the line below if *returning* the CUI
265 + # cui_updatedb updates the temporary database adding
266 + # the record containing the received CUI value to be later
267 + # used in accounting
268 + # uncomment the line below if *requesting* the CUI
270 # Get an address from the IP Pool.
274 # Uncomment the following line if you want to change attributes
275 # as defined in the preproxy_users file.
278 + # operator_name adds Operator-Name value to Access-Request
281 + # cui_pre-proxy adds the NULL CUI value to Access-Request
282 + # thus making it a Chargeable-User-Identity request
283 + # uncomment the line below if *requesting* the CUI
286 # Uncomment the following line if you want to filter requests
287 # sent to remote servers based on the rules defined in the
288 diff -Naur freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel freeradius-server-2.2.0/raddb/sites-available/inner-tunnel
289 --- freeradius-server-2.2.0-orig/raddb/sites-available/inner-tunnel 2012-09-10 13:51:34.000000000 +0200
290 +++ freeradius-server-2.2.0/raddb/sites-available/inner-tunnel 2012-09-13 11:05:56.237168046 +0200
292 # Once we KNOW that the user has been authenticated, there are
293 # additional steps we can take.
295 + # cui_postauth reacts to the Chargeable-User-Identity request
296 + # by adding the md5 hash created from a configurable local
297 + # salt (cui_hash_key) and the (inner) User-Name value
298 + # uncomment the line below if *returning* the CUI
301 # Note that we do NOT assign IP addresses here.
302 # If you try to assign IP addresses for EAP authentication types,
303 # it WILL NOT WORK. You MUST use DHCP.
304 diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf freeradius-server-2.2.0/raddb/sql/mysql/cui.conf
305 --- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.conf 2012-09-10 13:51:34.000000000 +0200
306 +++ freeradius-server-2.2.0/raddb/sql/mysql/cui.conf 2012-09-13 10:59:05.245170029 +0200
311 -## Queries to update the CUI table.
312 +## cui.conf -- SQL - CUI queries
314 -postauth_query = "INSERT IGNORE INTO ${cui_table} \
315 - (clientipaddress, callingstationid, username, cui, lastaccounting) \
317 - ('%{Client-IP-Address}', '%{Calling-Station-Id}', '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) ON DUPLICATE KEY UPDATE lastaccounting='0000-00-00 00:00:00', cui='%{reply:Chargeable-User-Identity}'";
320 +# This is a part of the Chargeable-User-Identity module
321 +# See doc/cui_howto.txt for more information
324 +# postauth_query creates a temporary record remembering
325 +# Client-IP-Address, Calling-Station-Id, User-Name,
326 +# Chargeable-User-Identity.
327 +# This information is used later to correlate accounting requests
328 +# with the information received in Access-Accept
330 + postauth_query = "INSERT IGNORE INTO ${cui_table} \
331 + (clientipaddress, callingstationid, username, \
332 + cui, lastaccounting) \
334 + ('%{Client-IP-Address}', '%{Calling-Station-Id}', \
335 + '%{User-Name}', '%{reply:Chargeable-User-Identity}', NULL) \
336 + ON DUPLICATE KEY UPDATE \
337 + lastaccounting='0000-00-00 00:00:00', \
338 + cui='%{reply:Chargeable-User-Identity}'";
340 +# accounting_start_query and accounting_update_query are called
341 +# by Accounting-Request Start or Interim Update.
342 +# The appropriate temporary record is updates by entering
343 +# the current time as the lastaccounting field.
344 +# The value of lastaccounting can be used to clean up the database
345 +# from stale temporary records.
347 + accounting_start_query = "UPDATE ${cui_table} \
348 + SET lastaccounting = CURRENT_TIMESTAMP \
349 + WHERE clientipaddress = '%{Client-IP-Address}' \
350 + AND callingstationid = '%{Calling-Station-Id}' \
351 + AND username = '%{User-Name}' \
352 + AND cui = '%{Chargeable-User-Identity}'";
354 -accounting_start_query = "UPDATE ${cui_table} \
356 - lastaccounting = CURRENT_TIMESTAMP \
357 - WHERE clientipaddress = '%{Client-IP-Address}' \
358 - AND callingstationid = '%{Calling-Station-Id}' \
359 - AND username = '%{User-Name}' \
360 - AND cui = '%{Chargeable-User-Identity}'";
362 -accounting_update_query = "UPDATE ${cui_table} \
364 - lastaccounting = CURRENT_TIMESTAMP \
365 - WHERE clientipaddress = '%{Client-IP-Address}' \
366 - AND callingstationid = '%{Calling-Station-Id}' \
367 - AND username = '%{User-Name}' \
368 - AND cui = '%{Chargeable-User-Identity}'";
369 + accounting_update_query = "UPDATE ${cui_table} \
370 + SET lastaccounting = CURRENT_TIMESTAMP \
371 + WHERE clientipaddress = '%{Client-IP-Address}' \
372 + AND callingstationid = '%{Calling-Station-Id}' \
373 + AND username = '%{User-Name}' \
374 + AND cui = '%{Chargeable-User-Identity}'";
376 -accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
377 - clientipaddress = '%{Client-IP-Address}' \
378 - AND callingstationid = '%{Calling-Station-Id}' \
379 - AND username = '%{User-Name}' \
380 - AND cui = '%{Chargeable-User-Identity}'";
381 +# accounting_stop_query is called by Accounting-Request Stop.
382 +# It deletes the temporary record form the database.
384 + accounting_stop_query = "DELETE FROM ${cui_table} WHERE \
385 + clientipaddress = '%{Client-IP-Address}' \
386 + AND callingstationid = '%{Calling-Station-Id}' \
387 + AND username = '%{User-Name}' \
388 + AND cui = '%{Chargeable-User-Identity}'";
389 diff -Naur freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql freeradius-server-2.2.0/raddb/sql/mysql/cui.sql
390 --- freeradius-server-2.2.0-orig/raddb/sql/mysql/cui.sql 2012-09-10 13:51:34.000000000 +0200
391 +++ freeradius-server-2.2.0/raddb/sql/mysql/cui.sql 2012-09-13 10:59:05.245170029 +0200
394 +# Table structure for table 'cui'
398 `clientipaddress` varchar(15) NOT NULL default '',
399 `callingstationid` varchar(50) NOT NULL default '',