Hi Terry -
On Thursday, Oct 16, 2003, at 16:21 Australia/Melbourne, Terry Simons wrote:
Hugh,
This is actually that D-Link AP900+ that I've been testing...
Yes I 've got one here now as well, although I can't get it to work.
What is the magic incantation?
I'll try the same thing with an AP-2000.
Yup.
Might it be interesting to keep track if which devices are broken in this regard?
Sadly this is impossible as there are new versions of firmware appearing for all vendors on a daily basis.
And most vendors seem to think that accounting is optional at best.
If all else fails I'll take a look at the eap_anon_hooks.pl script. (I had already started looking at that before I got your intial reply). I'm not exactly sure how things fit together with that, but I guess I'll learn. ;-)
You just need to put the Calling-Station-Id and Called-Station-Id into a database table when you receive the access request, then retrieve them when you get the accounting requests. The example hook does the same thing for the username.
regards
Hugh
Thanks!
- Terry
On Oct 16, 2003, at 12:09 AM, Hugh Irvine wrote:
Hello Terry -
It is not you - it is the access point that is goofy - it is not returning the Class attribute in the accounting requests (which is quite broken). For the other problem, you should add quotes around the second part of the AddToReply:
AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"
Although if the access point doesn't include the Class attribute in the accounting requests this won't help I'm afraid. You should talk to your vendor and point out the error of their ways (this is a bug in my opinion).
I guess you could modify Mike's "eap_anon_hook.pl" as an alternative approach (its in the "goodies").
regards
Hugh
On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons wrote:
Hugh,
This doesn't seem to be working for me.
Can you take a look at my debugging output and configuration?
Here's what I'm seeing:
Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
Wed Oct 15 21:09:35 2003: DEBUG: Deleting session for terry, 10.0.0.20,
Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE: FILE_AUTH
Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match with terry
Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner authentication redespatched to a Handler
Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
*** Sending to 10.0.0.20 port 1258 ....
Code: Access-Accept
Identifier: 122
Authentic: <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
Attributes:
Class = "Calling-Station-Id = "
Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
MS-MPPE-Send-Key = "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><1 77><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132 ><185>d<167><203><251><28><188><197><189><244>Eo"
MS-MPPE-Recv-Key = "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31 ><255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<2 27><206><160> J<252><199><130>"
EAP-Message = <3><6><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Wed Oct 15 21:09:36 2003: DEBUG: Packet dump: *** Received from 10.0.0.20 port 1259 .... Code: Accounting-Request Identifier: 123 Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r Attributes: Acct-Status-Type = Start User-Name = "terry" Acct-Session-Id = "000080480043" NAS-IP-Address = 10.0.0.20 NAS-Port = 0 Acct-Authentic = RADIUS NAS-Identifier = "WardriveMe" Acct-Delay-Time = 0
Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
Wed Oct 15 21:09:36 2003: DEBUG: Adding session for terry, 10.0.0.20, 0
Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with Radius::AuthSQL
Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into dot1xAccountingDB (Class) values('')':
Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE: FILE_AUTH
Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
*** Sending to 10.0.0.20 port 1259 ....
Code: Accounting-Response
Identifier: 123
Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
Attributes:
If you look closely, you'll notice that the "Class" variable is printed twice. Once with a value, once without... this alone seems somewhat odd. Why is it getting displayed twice?
Also, this information still isn't available to me for accounting, which is also apparent above. My attempt to account for '%{Class}' is turning up a NULL value.
Am I doing something wrong, or is this just being goofy?
It seems to be almost what I want, but not quite.
Here is my test configuration:
Foreground LogStdout
LogDir /usr/local/var/log/radius.log LogFile %L/logfile DbDir /usr/local/etc Trace 4
AuthPort 1812 AcctPort 1813
<Client DEFAULT> NoIgnoreDuplicates Access-Challenge NoIgnoreDuplicates Access-Request DupInterval 0 AddToRequest %{Class} </Client>
<AuthBy SQL> Identifier ACCT_ONLY
DBSource dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
DBUsername NOT_NEEDED
DBAuth NOT_NEEDED
AcctSQLStatement insert into dot1xAccountingDB \ (\ Class\ ) \ values\ (\ '%{Class}'\ )
AuthSelect </AuthBy>
<AuthBy FILE>
Identifier FILE_AUTH
Filename /usr/local/etc/users
EAPType TTLS TLS MD5-Challenge MSCHAP-V2
EAPTLS_MaxFragmentSize 1024
EAPTLS_CAFile /etc/radiator/CA.pem
EAPTLS_CertificateType PEM
EAPTLS_CertificateFile /etc/radiator/Server.pem
EAPTLS_PrivateKeyFile /etc/radiator/Server.pem
EAPTLS_PrivateKeyPassword NOTMYPASSWORD
EAPTLS_SessionResumption 0 AutoMPPEKeys AddToReply Class = Calling-Station-Id = %{Calling-Station-Id} </AuthBy>
<Handler TunneledByTTLS=1> AuthBy FILE_AUTH </Handler>
<Handler> AuthByPolicy ContinueAlways
AuthBy ACCT_ONLY
AuthBy FILE_AUTH </Handler>
On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
Hello Terry -
There are some useful tricks that you can employ in this situation.
# define Client clause
<Client ....> Secret ..... AddToRequest %{Class} ..... </Client>
# define AuthBy clause
<AuthBy ...> Identifier MyAuthBy ..... AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \ Called-Station-Id = %{Called-Station-Id} </AuthBy>
# define Realm of Handler
<Handler ...> AuthBy MyAuthBy ..... </Handler>
regards
Hugh
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
