Lewis Bergman wrote: > Matthew Schumacher wrote: > >> Lewis Bergman wrote: >> >>> Matthew Schumacher wrote: >>> >>> >>>> I'm getting accounting messages like these that seem to be coming from >>>> the loopback interface, but `tcpdump -i lo` doesn't see them so they >>>> are >>>> not coming from a local client. If they are not coming from a local >>>> client then how can I figure out where they are coming from? >>>> >>>> Thu Jan 12 07:19:58 2006 >>>> Acct-Status-Type = Stop >>>> NAS-IP-Address = x.x.x.x (legit nas IP) >>>> Acct-Delay-Time = 0 >>>> User-Name = "user" >>>> NAS-Port = 536936515 >>>> Acct-Session-Id = "0A000067" >>>> Service-Type = Framed-User >>>> Framed-Protocol = PPP >>>> Framed-IP-Address = x.x.x.x (legit Framed-IP-Address) >>>> Acct-Session-Time = 0 >>>> Acct-Input-Octets = 0 >>>> Acct-Output-Octets = 0 >>>> Acct-Input-Packets = 0 >>>> Acct-Output-Packets = 0 >>>> Client-IP-Address = 127.0.0.1 >>>> Acct-Unique-Session-Id = "1cc41474b27ed376" >>>> Timestamp = 1137082798 >>> >>> > > I assumed when you marked the NAS ip as legit, that the actual value in > that field is a legit IP that you have listed in your clients.conf file. > If that is the case, then that is where the packet originated from. My > NAS's report the client IP as the NAS address if I log in from the network. > Login-IP-Host = <ip of router> > Client-IP-Address = <IP of NAS IP> > > I think I remember if I logged in from the console port that it reports > the Client address as the loopback.
According to the freeradius documentation and the code the Client-IP-Address attribute always records the source address of the packet, and the NAS-IP-Address is provided by the NAS, and if it isn't freeradius puts in the source address. This means that the log above states that a packet with the NAS-IP-Address of a legit nas was sourced from 127.0.0.1 which is not possible since I don't have a client running on the local machine which is confirmed by the lack of packets shown in tcpdump. At this point I am starting to think there is a bug in freeradius where the Client-IP-Address gets recorded incorrectly. If you login to the serial port of your nas then you could see the NAS-IP-Address as 127.0.0.1 but you should never see a Client-IP-Address of 127.0.0.1 unless the client sourced it's packet from the radius servers loopback interface. schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
