Hello all,
Apologies for the length of this mail, but I think I have all the relevant
information here.
I'm having a little trouble with FreeRadius 0.9.2 and realms and I'm looking
for a little help from the list.
I'm testing a new service that we have to provide, which involves proxying all
requests for a wildcard suffix to another service provider. To achieve this I
have the following users file: these are lines 90 - 96. The rest of the file
is comments.
<<
test Auth-Type := Local, User-Password == "testac"
Service-Type = Framed-User,
Framed-Protocol = "PPP"
DEFAULT User-Name =~ "@*.olie1", Proxy-To-Realm := "bt-radius"
DEFAULT User-Name =~ "@*.olie2", Proxy-To-Realm := "bt-radius"
>>
My proxy.conf looks like:
<<
proxy server {
synchronous = no
retry_delay = 1
retry_count = 1
dead_time = 360
default_fallback = yes
post_proxy_authorize = no
}
realm bt-radius {
type = radius
authhost = 208.159.238.241:1645
accthost = 208.159.238.243:1646
secret = **********
nostrip
}
realm bt-radius {
type = radius
authhost = 208.159.238.242:1645
accthost = 208.159.238.243:1646
secret = **********
nostrip
}
>>
The problem is that the user is authenticated correctly but the accounting
information is not forwarded onto the accthost for that realm, by which I mean
I cannot see any traffic to the accthost at all with ethereal. I have incuded
the radiusd.conf and the output from radiusd -X at the end of this mail.
When I dial up I get the following:
<<
rad_recv: Access-Request packet from host 193.95.136.204:1645, id=115,
length=110
NAS-IP-Address = 193.95.136.204
NAS-Port = 139
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "015009992"
Calling-Station-Id = "014326957"
User-Password = "**********"
Service-Type = Framed-User
Framed-Protocol = PPP
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: Looking up realm "ireland.olie1" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "ireland.olie1"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 94
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
Sending Access-Request of id 1 to 208.159.238.241:1645
NAS-IP-Address = 193.95.136.204
NAS-Port = 139
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "015009992"
Calling-Station-Id = "014326957"
User-Password = "*********"
Service-Type = Framed-User
Framed-Protocol = PPP
Proxy-State = 0x313135
--- Walking the entire request list ---
Waking up in 2 seconds...
rad_recv: Access-Accept packet from host 208.159.238.241:1645, id=1, length=135
NAS-IP-Address = 193.95.136.204
NAS-Port = 139
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "015009992"
Calling-Station-Id = "014326957"
User-Password = "**********"
Proxy-State = 0x313135
Class = 0x060a4d313132303735310903d90a082e2e2e2e55530c0302
Service-Type = Framed-User
Framed-Protocol = PPP
authorize: Skipping authorize in post-proxy stage
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED] (from client ts-test.cwt port 139 cli 014326957)
>>
So access accept is returned to the NAS and the user is connected.
Next the accounting Start record is received from the NAS.
rad_recv: Accounting-Request packet from host 193.95.136.204:1646, id=116,
length=152
NAS-IP-Address = 193.95.136.204
NAS-Port = 139
NAS-Port-Type = Async
User-Name = "[EMAIL PROTECTED]"
Called-Station-Id = "015009992"
Calling-Station-Id = "014326957"
Acct-Status-Type = Start
Class = 0x060a4d313132303735310903d90a082e2e2e2e55530c0302
Acct-Authentic = RADIUS
Service-Type = Framed-User
Acct-Session-Id = "00000020"
Framed-Protocol = PPP
Framed-IP-Address = 193.120.53.65
Acct-Delay-Time = 0
On processing the accounting packet the realm is not matched in the proxy.conf
so freeradius never sends the accounting packet to the correct server for the
realm, as matched in the users file for authentication.
modcall: entering group preacct for request 2
modcall[preacct]: module "preprocess" returns noop for request 2
rlm_realm: Looking up realm "ireland.olie1" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "ireland.olie1"
modcall[preacct]: module "suffix" returns noop for request 2
modcall[preacct]: module "files" returns noop for request 2
modcall: group preacct returns noop for request 2
modcall: entering group accounting for request 2
So the accounting is stored locally:
rlm_acct_unique: Acct-Unique-Session-ID = "582928d0fd82763a".
modcall[accounting]: module "acct_unique" returns ok for request 2
radius_xlat: '/usr/local/var/log/radius/radacct/detail-20031031'
rlm_detail: /usr/local/var/log/radius/radacct/detail-%Y%m%d expands to
/usr/local/var/log/radius/radacct/detail-20031031
modcall[accounting]: module "detail" returns ok for request 2
modcall[accounting]: module "unix" returns ok for request 2
radius_xlat: '/usr/local/var/log/radius/radutmp'
radius_xlat: '[EMAIL PROTECTED]'
modcall[accounting]: module "radutmp" returns ok for request 2
modcall: group accounting returns ok for request 2
Sending Accounting-Response of id 116 to 193.95.136.204:1646
Finished request 2
So my question is is there any way to get freeradius to send the accounting
information to the other service provider for users that have been
authenticated by that service provider, ie matched by the DEFAULT User-Name =~
"@*.olie1", Proxy-To-Realm := "bt-radius" in the users file?
Unfortunately I do not, and will not have a definitive list of all realms that
will be accepted by the other provider so I am unable to put all possible
realms in proxy.conf.
Thanks in advance for your replies,
Dave.
My radiusd.conf looks like this:
<<
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = yes
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
}
realm realmslash {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
}
}
instantiate {
expr
}
authorize {
preprocess
chap
suffix
files
mschap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
}
preacct {
preprocess
suffix
files
}
accounting {
acct_unique
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
>>
radiusd startup:
<<
/usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "yes"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 1
proxy: retry_count = 1
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 360
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/var/log/radius/radacct/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
>>
--
Dave Hickey [EMAIL PROTECTED]
Esat BT IP NOC www.esatbt.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
