RE: Setting up FreeRADIUS accounting with IP address logging
hi, I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: i'd advise that you run the latest version before doing anything else. 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. accounting required your NAS (your linksys boxes with dd-wrt) to actually send accounting packets. you should still get authentication logs in the /var/log/freeradius directory (when you dont run in debug mode!) 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. accounting will show IP addresss versus MAC address. however, to use a DHCP server just ensure that the network that people are dropped onto after authorization/authentication has a DHCP listener on it to hand out addresses. your Linux box could have an interface on the client network and be handing out IP addresses via ISC DHCPD for example. you could always take the syslog of the DHCP server pumped across the net to syslogNG on your linux box too - with some local scripts you can tie things together like that too 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. ? just choose PEAP, ensure that you are NOT using the windows loging username/password (unless you have access to eg active directory). check the certificate, validate the CA... if you search for eg 'eduroam windows' you'll find hundreds of academic sites that use 802.1X with Windows - just look at their step by step instructions...and IGNORE those that say dont check the cert/CA (!) alan P.S. I have attached the radiusd.conf file at the end. I haven't changed much though. radiusd -X is the only thing of use on the ML - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting up FreeRADIUS accounting with IP address logging
- Original Message - From: Alan Buxey a.l.m.bu...@lboro.ac.uk I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: [snip] OFFTOPIC, but isn't that stated on dd-wrt documentation, that only WPA2-AES auth works correctly on dd/wrt? Andres Septer Systems Administrator Navirec Software OÜ Tallinn, Estonia http://navirec.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up FreeRADIUS accounting with IP address logging
Hi! I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. Thankful for a response, Johan P.S. I have attached the radiusd.conf file at the end. I haven't changed much though. Johan Swetzén jo...@swetzen.com radiusd.conf -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id$ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # # name of the running server. See also the -n command-line option. name = freeradius # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} # Should likely be ${localstatedir}/lib/radiusd db_dir = ${raddbdir} # # libdir: Where to find the rlm_* modules. # # This should be automatically set at configuration time. # # If the server builds and installs, but fails at execution time # with an 'undefined symbol' error, then you can use the libdir # directive to work around the problem. # # The cause is usually that a library has been installed on your # system in a place where the dynamic linker CANNOT find it. When # executing as root (or another user), your personal environment MAY # be set up to allow the dynamic linker to find the library. When # executing as a daemon, FreeRADIUS MAY NOT have the same # personalized configuration. # # To work around the problem, find out which library contains that symbol, # and add the directory containing that library to the end of 'libdir', # with a colon separating the directory names. NO spaces are allowed. # # e.g. libdir = /usr/local/lib:/opt/package/lib # # You can also try setting the LD_LIBRARY_PATH environment variable # in a script which starts the server. # # If that does not work, then you can re-configure and re-build the # server to NOT use shared libraries, via: # # ./configure
Re: Setting up FreeRADIUS accounting with IP address logging
Hi Johan, On Sat, Apr 14, 2012 at 12:06:54PM +0200, Johan Swetzén wrote: I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 2.1.8 is pretty old. You should really run the latest 2.1.12, which fixes a number of bugs. It's easy to get running on debian/ubuntu, as the freeradius source comes with debian packaging stuff. See http://wiki.freeradius.org/Build#Building+Debian+packages However, what you're trying to do will work on 2.1.8. 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. The default config creates this directory and writes logs to it. If you have broken the default config, then it won't work. My guess is a permissions problem, or you've fiddled with the config a lot and broken it, or the NAS is not sending accounting packets. You need to run freeradius as 'freeradius -X' and read the debug output to see what's happening. Look for the 'detail' lines. If you see no accounting packets arrive, work out what's broken on your NAS or network. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. a) see the answer to question 1. b) The NAS should return the client's IP address in the *accounting* packets, which you aren't currently getting, so you won't see anything at the moment. The end-user's IP address, if sent, should be in the Framed-IP-Address attribute. Their MAC address should be in the accounting logs, and any auth logs, as the Calling-Station-Id attribute. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. If you're using Active Directory: http://wiki.freeradius.org/freeradius_active_directory_integration_howto If not, see the same page especially http://wiki.freeradius.org/freeradius_active_directory_integration_howto#Configuration+of+users and the MS-CHAP-Use-NTLM-Auth := 0 bit. In short, you need to use PEAP with MS-CHAPv2, or EAP-TLS (certificates/PKI), if you're using Windows = 7. P.S. I have attached the radiusd.conf file at the end. I haven't changed much though. That file is essentially useless, it's the whole config that matters, and that's only a very small part. You need to send the debug output from 'freeradius -X' next time. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up FreeRADIUS accounting with IP address logging
On Sat, Apr 14, 2012 at 5:06 PM, Johan Swetzén jo...@swetzen.com wrote: Hi! I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There are a few problems I cannot figure out though: 1. How to set up plain-text accounting. I saw in the configuration that the log directory is set to /var/log/freeradius/radacct so I created the directory and made writable (777 to be sure) but alas, there are no logs. Your NAS needs to send accounting packets. IIRC dd-wrt does NOT send accounting packets when used in 802.1x/WPA2-enterprise. chilispot, however, DOES send accounting packets. So you either need to change your NAS, or change your setup with dd-wrt to use captive portal with chillispot. 2. How to get freeRADIUS to work with a DHCP server. I'm not asking about the experimental built-in DHCP server, as it seems very limited, but is it possible to somehow log the IP addresses that each user is assigned? We need to know who was using a certain IP address at a certain time. The easiest way? Use v2.1.x branch from git, activate its DHCP server, and use dhcp_sqlippool, which would use DB to hand out IP addresses :) AFAIK some NAS (e.g. mikrotik: http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server ) can ask a radius server for IP address (in standard framed-ip-address attribute), and hand it to DHCP clients. But since you say you use dd-wrt, it might not apply to you. 3. How to connect using Windows. It's dead simple to connect to the network with linux, mac and smartphones but for Windows it seems impossible to find the right combination of settings. I haven't googled this issue so much, so maybe there's a simple answer. Also, it's a later problem. If you use captive portal setup, it's easy. If you use 802.1x, you probably need to make sure that FR tries PEAP-MSCHAP first (e.g. by changing default EAP type di eap.conf?) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html