RE: Setting up FreeRADIUS accounting with IP address logging

[Alan Buxey]

hi,


I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 
enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good 
solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. 
There are a few problems I cannot figure out though:

i'd advise that you run the latest version before doing anything else. 

1. How to set up plain-text accounting.
I saw in the configuration that the log directory is set to 
/var/log/freeradius/radacct so I created the directory and made writable (777 
to be sure) but alas, there are no logs.

accounting required your NAS (your linksys boxes with dd-wrt) to actually send 
accounting packets. you should still
get authentication logs in the /var/log/freeradius directory (when you dont run 
in debug mode!)

2. How to get freeRADIUS to work with a DHCP server.
I'm not asking about the experimental built-in DHCP server, as it seems very 
limited, but is it possible to somehow log the IP addresses that each user is 
assigned? We need to know who was using a certain IP address at a certain 
time.

accounting will show IP addresss versus MAC address. however, to use a DHCP 
server just ensure that the network that
people are dropped onto after authorization/authentication has a DHCP listener 
on it to hand out addresses. your Linux box
could have an interface on the client network and be handing out IP addresses 
via ISC DHCPD for example.  you could
always take the syslog of the DHCP server pumped across the net to syslogNG on 
your linux box too - with
some local scripts you can tie things together like that too

3. How to connect using Windows.
It's dead simple to connect to the network with linux, mac and smartphones but 
for Windows it seems impossible to find the right combination of settings. I 
haven't googled this issue so much, so maybe there's a simple answer. Also, 
it's a later problem.

? just choose PEAP, ensure that you are NOT using the windows loging 
username/password (unless you have access to eg active directory).
check the certificate, validate the CA... if you search for eg 'eduroam 
windows' you'll find hundreds of academic sites that use 802.1X with Windows
- just look at their step by step instructions...and IGNORE those that say dont 
check the cert/CA (!)

alan

P.S. I have attached the radiusd.conf file at the end. I haven't changed much 
though.

radiusd -X is the only thing of use on the ML

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Setting up FreeRADIUS accounting with IP address logging

[Andres Septer]

- Original Message -
From: Alan Buxey a.l.m.bu...@lboro.ac.uk

I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 
enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good 
solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. 
There are a few problems I cannot figure out though:
[snip]

OFFTOPIC, but isn't that stated on dd-wrt documentation, that only WPA2-AES 
auth works correctly on dd/wrt? 


Andres Septer

Systems Administrator
Navirec Software OÜ
Tallinn, Estonia
http://navirec.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Setting up FreeRADIUS accounting with IP address logging

[Johan Swetzén]

Hi!

I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 
enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good 
solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. There 
are a few problems I cannot figure out though:

1. How to set up plain-text accounting.
I saw in the configuration that the log directory is set to 
/var/log/freeradius/radacct so I created the directory and made writable (777 
to be sure) but alas, there are no logs.

2. How to get freeRADIUS to work with a DHCP server.
I'm not asking about the experimental built-in DHCP server, as it seems very 
limited, but is it possible to somehow log the IP addresses that each user is 
assigned? We need to know who was using a certain IP address at a certain time.

3. How to connect using Windows.
It's dead simple to connect to the network with linux, mac and smartphones but 
for Windows it seems impossible to find the right combination of settings. I 
haven't googled this issue so much, so maybe there's a simple answer. Also, 
it's a later problem.

Thankful for a response,

Johan

P.S. I have attached the radiusd.conf file at the end. I haven't changed much 
though.


Johan Swetzén
jo...@swetzen.com

radiusd.conf


 -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
##  http://www.freeradius.org/
##  $Id$
##

##
#
#   Read man radiusd before editing this file.  See the section
#   titled DEBUGGING.  It outlines a method where you can quickly
#   obtain the configuration you want, without running into
#   trouble.
#
#   Run the server in debugging mode, and READ the output.
#
#   $ radiusd -X
#
#   We cannot emphasize this point strongly enough.  The vast
#   majority of problems can be solved by carefully reading the
#   debugging output, which includes warnings about common issues,
#   and suggestions for how they may be fixed.
#
#   There may be a lot of output, but look carefully for words like:
#   warning, error, reject, or failure.  The messages there
#   will usually be enough to guide you to a solution.
#
#   If you are going to ask a question on the mailing list, then
#   explain what you are trying to do, and include the output from
#   debugging mode (radiusd -X).  Failure to do so means that all
#   of the responses to your question will be people telling you
#   to post the output of radiusd -X.

##
#
#   The location of other config files and logfiles are declared
#   in this file.
#
#   Also general configuration for modules can be done in this
#   file, it is exported through the API to modules that ask for
#   it.
#
#   See man radiusd.conf for documentation on the format of this
#   file.  Note that the individual configuration items are NOT
#   documented in that man page.  They are only documented here,
#   in the comments.
#
#   As of 2.0.0, FreeRADIUS supports a simple processing language
#   in the authorize, authenticate, accounting, etc. sections.
#   See man unlang for details.
#

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

#
#  name of the running server.  See also the -n command-line option.
name = freeradius

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#   ./configure 

Re: Setting up FreeRADIUS accounting with IP address logging

[Matthew Newton]

Hi Johan,

On Sat, Apr 14, 2012 at 12:06:54PM +0200, Johan Swetzén wrote:
 I'm setting up wifi internet in my student dorm (90 people) and
 thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running
 on Ubuntu) would be a good solution, together with the
 incredibly stable Linksys WRT54GL and dd-wrt. There are a few
 problems I cannot figure out though:

2.1.8 is pretty old. You should really run the latest 2.1.12,
which fixes a number of bugs. It's easy to get running on
debian/ubuntu, as the freeradius source comes with debian
packaging stuff. See
http://wiki.freeradius.org/Build#Building+Debian+packages

However, what you're trying to do will work on 2.1.8.


 1. How to set up plain-text accounting.
 I saw in the configuration that the log directory is set to
 /var/log/freeradius/radacct so I created the directory and made
 writable (777 to be sure) but alas, there are no logs.

The default config creates this directory and writes logs to it.
If you have broken the default config, then it won't work. My
guess is a permissions problem, or you've fiddled with the config
a lot and broken it, or the NAS is not sending accounting packets.

You need to run freeradius as 'freeradius -X' and read the debug
output to see what's happening. Look for the 'detail' lines. If
you see no accounting packets arrive, work out what's broken on
your NAS or network.

 2. How to get freeRADIUS to work with a DHCP server.
 I'm not asking about the experimental built-in DHCP server, as
 it seems very limited, but is it possible to somehow log the IP
 addresses that each user is assigned? We need to know who was
 using a certain IP address at a certain time.

a) see the answer to question 1.

b) The NAS should return the client's IP address in the
*accounting* packets, which you aren't currently getting, so you
won't see anything at the moment. The end-user's IP address, if
sent, should be in the Framed-IP-Address attribute. Their MAC
address should be in the accounting logs, and any auth logs, as
the Calling-Station-Id attribute.

 3. How to connect using Windows.
 It's dead simple to connect to the network with linux, mac and
 smartphones but for Windows it seems impossible to find the
 right combination of settings. I haven't googled this issue so
 much, so maybe there's a simple answer. Also, it's a later
 problem.

If you're using Active Directory:
http://wiki.freeradius.org/freeradius_active_directory_integration_howto

If not, see the same page especially
http://wiki.freeradius.org/freeradius_active_directory_integration_howto#Configuration+of+users
and the MS-CHAP-Use-NTLM-Auth := 0 bit.

In short, you need to use PEAP with MS-CHAPv2, or EAP-TLS
(certificates/PKI), if you're using Windows = 7.

 P.S. I have attached the radiusd.conf file at the end. I haven't changed much 
 though.

That file is essentially useless, it's the whole config that
matters, and that's only a very small part. You need to send the
debug output from 'freeradius -X' next time.

Cheers

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Setting up FreeRADIUS accounting with IP address logging

[Fajar A. Nugraha]

On Sat, Apr 14, 2012 at 5:06 PM, Johan Swetzén jo...@swetzen.com wrote:
 Hi!

 I'm setting up wifi internet in my student dorm (90 people) and thought wpa2 
 enterprise with FreeRADIUS (version 2.1.8 running on Ubuntu) would be a good 
 solution, together with the incredibly stable Linksys WRT54GL and dd-wrt. 
 There are a few problems I cannot figure out though:

 1. How to set up plain-text accounting.
 I saw in the configuration that the log directory is set to 
 /var/log/freeradius/radacct so I created the directory and made writable (777 
 to be sure) but alas, there are no logs.

Your NAS needs to send accounting packets. IIRC dd-wrt does NOT send
accounting packets when used in 802.1x/WPA2-enterprise. chilispot,
however, DOES send accounting packets. So you either need to change
your NAS, or change your setup with dd-wrt to use captive portal with
chillispot.


 2. How to get freeRADIUS to work with a DHCP server.
 I'm not asking about the experimental built-in DHCP server, as it seems very 
 limited, but is it possible to somehow log the IP addresses that each user is 
 assigned? We need to know who was using a certain IP address at a certain 
 time.


The easiest way? Use v2.1.x branch from git, activate its DHCP server,
and use dhcp_sqlippool, which would use DB to hand out IP addresses :)

AFAIK some NAS (e.g. mikrotik:
http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server ) can ask a radius
server for IP address (in standard framed-ip-address attribute), and
hand it to DHCP clients. But since you say you use dd-wrt, it might
not apply to you.

 3. How to connect using Windows.
 It's dead simple to connect to the network with linux, mac and smartphones 
 but for Windows it seems impossible to find the right combination of 
 settings. I haven't googled this issue so much, so maybe there's a simple 
 answer. Also, it's a later problem.

If you use captive portal setup, it's easy.
If you use 802.1x, you probably need to make sure that FR tries
PEAP-MSCHAP first (e.g. by changing default EAP type di eap.conf?)

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html