Project

General

Profile

Feature #624

Radius Accounting Restricts DN field Length

Added by Jason Kershaw over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libcharon
Target version:
Start date:
25.06.2014
Due date:
Estimated time:
Resolution:
Fixed

Description

Hi,

We are attempting to use Radius accounting to identify mobile device activity, related to #605

However it seems the username field used to identify the unique devices is restricted to 128 characters, which can truncate the necessary field.

The AVP received at radius is detailed below
User-Name: C=GB, L=UDP Systems, O=Trial_Another_HTTPPreProd_UDP, OU=Trial_Another_HTTPPreProd_UDP_SG, CN=78fbee1dbc3b567a14c5c4eba1c3465cb

Unfortunately the full DN for this entry
User-Name: C=GB, L=UDP Systems, O=Trial_Another_HTTPPreProd_UDP, OU=Trial_Another_HTTPPreProd_UDP_SG, CN=78fbee1dbc3b567a14c5c4eba1c3465cbdca6192, E=

As the CN field is the unique identifier we are unable to correctly identify the mobile device at the radius server.

Is there a configuration entry to increase the field limit for the User-Name sent to radius ?
Or potentially a way to configure which fields within the DN are sent in the User-Name AVP rather than the full DN ?

Many Thanks
Jason

Associated revisions

Revision fc8ca5f2 (diff)
Added by Martin Willi over 6 years ago

eap-radius: Increase buffer for accounting attributes to maximum attribute size

Fixes #624.

History

#1 Updated by Matthew Prowse over 6 years ago

Perhaps down to:

    char buf[128];

later used by:

    snprintf(buf, sizeof(buf), "%Y", ike_sa->get_other_eap_id(ike_sa));
    message->add(message, RAT_USER_NAME, chunk_from_str(buf));

in function add_ike_sa_parameters() of eap_radius_accounting.c?

Note - attribute values appear limited by:

    #define MAX_RADIUS_ATTRIBUTE_SIZE       253

in radius_message.h

#2 Updated by Martin Willi over 6 years ago

  • Category set to libcharon
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Resolution set to Fixed

Hi Jason,

As Matthew correctly noted, this is due the limited buffer size. I've addressed this issue by increasing the buffer to the maximum allowed in RADIUS of 253 bytes (see referenced commit). This probably should fix the issue for you, but still truncates longer identities.

Or potentially a way to configure which fields within the DN are sent in the User-Name AVP rather than the full DN ?

No, this is currently not possible, the full DN is always transmitted, as this is what the client sends as ID payload. You may, however, configure your client to use shorter identities, for example a subjectAltName from its certificate.

Regards
Martin

#3 Updated by Jason Kershaw over 6 years ago

Hi Martin,

Apologies, I don't like adding to a closed ticket, but am not sure of another process to ask this :

Will this fix be included in 5.2.0 ?
Its listed as commited, but the bug ID doesn't appear on the roadmap.

Many Thanks
Jason

#4 Updated by Tobias Brunner over 6 years ago

  • Tracker changed from Issue to Feature
  • Target version set to 5.2.0

#5 Updated by Martin Willi over 6 years ago

Sorry, I didn't tag the ticket appropriately. Tobias fixed that.

Yes, the fix will be part of 5.2.0, and is in 5.2.0rc1.

Regards
Martin

Also available in: Atom PDF