Re: accounting question
On 01/21/2013 06:47 AM, Tzvika Gelber wrote: i'm looking to focus a problem i have - i think the main issue is not freeradius but it's a good place to ask. I have a server that's do both Radius and accounting for Wifi random users (web redirected system). now i just discovered that to authenticate the users i have to use the server secret password It's not a server secret password. The correct term is radius shared secret. on the accounting side i can use whatever i want and it will still work. (if the secret for the server is 12345 i can use abcde for the accounting and i'll get the accounting files). No, this doesn't work reliably. The question is this, if we stick to the AAA protocol do you really need the radius secret to use accounting? or can i just drop it? No. The secret is required for correct operation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
i'm looking to focus a problem i have - i think the main issue is not freeradius but it's a good place to ask. I have a server that's do both Radius and accounting for Wifi random users (web redirected system). now i just discovered that to authenticate the users i have to use the server secret password on the accounting side i can use whatever i want and it will still work. (if the secret for the server is 12345 i can use abcde for the accounting and i'll get the accounting files). The question is this, if we stick to the AAA protocol do you really need the radius secret to use accounting? or can i just drop it? -- Sometimes you just glow in the dark... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi, I have redundant NAS nodes and they obviously have two different NAS-IP. If one NAS fails, the entity for which I'm accounting traffic is automatically switched over to the redundant NAS which can keep sending accounting records to Radius. However, the records will have different NAS-IP, NAS-Identier and NAS-Port-ID. The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? Thanks Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
Write the accounting information to a MySQL database. Then query the radacct table for the accounting information. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Marlon Duksa Sent: Monday, January 25, 2010 6:12 PM To: FreeRadius users mailing list Subject: accounting question Hi, I have redundant NAS nodes and they obviously have two different NAS-IP. If one NAS fails, the entity for which I'm accounting traffic is automatically switched over to the redundant NAS which can keep sending accounting records to Radius. However, the records will have different NAS-IP, NAS-Identier and NAS-Port-ID. The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? Thanks Marlon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
You can configure FreeRADIUS to store all of the accounting information in
one file in the same directory. Look at the etc/raddb/modules/detail file
for instructions on how to change where accounting information is logged.
The default detail file name is:detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d. You could change it to:
detailfile = ${radacctdir}/detail-%Y%m%d and the accounting information
would be written to one file independent of the NAS.
Tim
From:
freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or
g
[mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer
adius.org] On Behalf Of Marlon Duksa
Sent: Monday, January 25, 2010 6:12 PM
To: FreeRadius users mailing list
Subject: accounting question
Hi,
I have redundant NAS nodes and they obviously have two different NAS-IP. If
one NAS fails, the entity for which I'm accounting traffic is automatically
switched over to the redundant NAS which can keep sending accounting
records to Radius. However, the records will have different NAS-IP,
NAS-Identier and NAS-Port-ID.
The acct-session-id and framed-ip-addrss will be the same (and this is what
I use to identify the entity for which I collect acct info). Is there any
way that this new records will be written to the same file as before the
failover so that I can correlate the records?
I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/.
This NAS-IP directory name is what is bothering me. Is there any way to
change this?
Thanks
Marlon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Marlon Duksa wrote: The acct-session-id and framed-ip-addrss will be the same (and this is what I use to identify the entity for which I collect acct info). Is there any way that this new records will be written to the same file as before the failover so that I can correlate the records? Use the acct_unique_id module to key off of Acct-Session-Id Framed-IP-Address. Then, ensure that any accounting sessions are tracked by the unique ID, and not by NAS IP. I see that the acct directory is in /var/log/freeradius/radacct/NAS-IP/. This NAS-IP directory name is what is bothering me. Is there any way to change this? See the configuration for the detail module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 16/12/2009 19:21, David Peterson wrote:
OK I added the reply update and see the acknowledgement go out:
Sending Access-Accept of id 8 to 172.16.4.2 port 1812
Service-Type = Framed-User
User-Name = testtest
Framed-Filter-Id = Bronze
Class = 0x7465737474657374
EAP-Message = 0x03080004
Message-Authenticator = 0x
WiMAX-IP-Technology = CMIP4
WiMAX-hHA-IP-MIP4 = 192.168.10.3
WiMAX-MSK =
0x686ea51099d982afffe6d3555b34d6a9ae889284f3e2db6eeab05848838fd290d00925dd068d797a09eb3b4d17b5a90ad00ab5291ce7ba9a519440b480bb3943
WiMAX-MN-hHA-MIP4-Key = 0x4e96fdcb6522057bfefbe762e274dbc33640f2ff
WiMAX-MN-hHA-MIP4-SPI = 1824920104
However the NAS is overrriding the username and replying with:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=31,
length=262
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
Class = 0x7465737474657374
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c16\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}2d0e1fba7e14896968495d723d41a...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
WiMAX-hHA-IP-MIP4 = 192.168.10.3
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 16 2009 13:15:14 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
Any other thoughts?
Great! It includes a Class attribute in the response.
You have two options, the easy and bad way of doing things, or the harder but
correct way.
bad - edit the definition for the Class attribute in
freeradius/share/dictionary/dictionary.rfc2865 so FreeRADIUS treats it as a
string:
ATTRIBUTE Class 25 string
Then add the following into post-auth:
update reply {
Class := %{request:User-Name}
}
And the following into pre-acct:
if(Class){
update request
User-Name := %{request:Class}
}
}
good -
1. Update the schema for the radpostauth table to include a 32byte field
(called authsessionid?) with a unique index to record the value of the class
attribute in the Access-Accept.
2. Update the postauth insert statement to record the value of %{reply:Class}
(it's in raddb/sql/server type/conf file.
3. Insert the following into authorize
update reply {
Class :=
%{md5:%{Client-IP-Address}%{NAS-IP-Address}%{%{NAS-Port-ID}:-%{NAS-Port}}%{Calling-Station-ID}%{reply:User-Name}%t}
}
4. Insert the following into pre-acct
if(Class){
update request {
Tmp-String-0 := %{sql:SELECT `username` FROM `radpostauth`
WHERE `authsessionid` = %{request:Class} LIMIT 1}
}
if(Tmp-String-0){
update request {
User-Name := %{request:Tmp-String-0}
}
}
}
The good option is also nice as it allows you to link postauth and accounting
records in a more general way, and you can still treat Class as opaque binary
data.
Hope this helps.
- -Arran
From: Arran Cudbard-Bell [a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 5:32 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Forgive my newbieness but where would I put that code? I tried adding it to
the sites-available/default file under accounting but I am guessing that's
not right.
That'll stop any potential problems arising from the malformed
Acct-Session-ID yes.
Regarding the username, try putting the following in postauth.
update reply {
User-Name := 'testtest'
Class := 'testtest'
}
See if either of those values are included in accounting sessions. If they
are then there are ways to work around the User-Name in accounting packets.
-Arran
David
-Original Message-
From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 10:56 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address
Re: Accounting question
David Peterson wrote: What I am not understanding at this point is how the authentication works with the username hashed or using hex stuff but the accounting doesn't. You can see on this debug that the username looks the same when its authenticated as it does when it's used for accounting yet the username in the database is clear text. Because it's using TTLS, and there is *another* name inside of the TLS tunnel. This *should* be clear from the debug output. Read it. *All*. Once you have the inner User-Name, you can write both it, and the outer hex stuff to a table for later correlation. You were told this. Now stop trying to understand the problem. Find the good User-Name, and then write it and the hex version to an SQL table. Use that table to fix the accounting records. *Nothing* else will solve the problem. You're stuck on oh my god, the user name is hex. Get over it. Ignore the hex nonsense, and go fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
OK I added the reply update and see the acknowledgement go out:
Sending Access-Accept of id 8 to 172.16.4.2 port 1812
Service-Type = Framed-User
User-Name = testtest
Framed-Filter-Id = Bronze
Class = 0x7465737474657374
EAP-Message = 0x03080004
Message-Authenticator = 0x
WiMAX-IP-Technology = CMIP4
WiMAX-hHA-IP-MIP4 = 192.168.10.3
WiMAX-MSK =
0x686ea51099d982afffe6d3555b34d6a9ae889284f3e2db6eeab05848838fd290d00925dd068d797a09eb3b4d17b5a90ad00ab5291ce7ba9a519440b480bb3943
WiMAX-MN-hHA-MIP4-Key = 0x4e96fdcb6522057bfefbe762e274dbc33640f2ff
WiMAX-MN-hHA-MIP4-SPI = 1824920104
However the NAS is overrriding the username and replying with:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=31,
length=262
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
Class = 0x7465737474657374
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c16\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}2d0e1fba7e14896968495d723d41a...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
WiMAX-hHA-IP-MIP4 = 192.168.10.3
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 16 2009 13:15:14 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
Any other thoughts?
David
From: Arran Cudbard-Bell [a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 5:32 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Forgive my newbieness but where would I put that code? I tried adding it to
the sites-available/default file under accounting but I am guessing that's
not right.
That'll stop any potential problems arising from the malformed Acct-Session-ID
yes.
Regarding the username, try putting the following in postauth.
update reply {
User-Name := 'testtest'
Class := 'testtest'
}
See if either of those values are included in accounting sessions. If they are
then there are ways to work around the User-Name in accounting packets.
-Arran
David
-Original Message-
From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 10:56 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
The hex stuff is the NAS appending 31 null chars to the session id.
FreeRADIUS is converting the unprintable characters into escape codes so that
they're visible.
The RFC recommendation is that:
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
Which SHOULD limit it to printable chars.
Really this is something your NAS vendor should fix, as it's a bug in their
code.
...Though if you really want you can trim off the superfluous nulls with:
if(Acct-Session-ID =~ /(.*)/){
update request {
Acct-Session-ID := %{1}
}
}
-Arran
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going on.
But if the NAS refuses to send a usable User-Name in an accounting
packet, your only solution is to somehow
Re: Accounting question
David Peterson wrote: However the NAS is overrriding the username and replying with: ... Buy a NAS that works. Any other thoughts? Follow the other suggestions that would solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
Radius is storing the accounting information using the EAP hashed username. Is there a way to change it to store the clear text username with the accounting info? David Peterson Engineer Wireless Connections 166 Milan Ave., Norwalk, Oh. 44857 ACCessing the Future Today!! ofc. 419.660.6100 ext 2287 cell 419-706-7355 fax 419-668-4077 http://www.wirelessconnections.net/ http://www.wirelessconnections.net This transmission and any files attached to it, may contain confidential and/or privileged information and intended only for the named recipient. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, retransmission, dissemination, disclosure, copying or any use of the information or files contained is strictly prohibited. If you have received this transmission in error, please notify the sender by reply transmission and delete this electronic mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
David Peterson wrote: Radius is storing the accounting information using the EAP hashed username. What's an EAP hashed username ? Is there a way to change it to store the clear text username with the accounting info? Sure. Send a User-Name attribute in the Access-Accept, and the NAS *should* send that back in the Accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
Here is a sample of the accounting information I am getting back: 1 00-12-cf-c7-4c-f21 8de274900adce6a9 =7bam=3d1=7d20dc847805b044128ac3c4bd8ce95...@example.comexample.com 172.16.4.2 2009-12-07 08:54:44 2009-12-07 08:56:43 119 RADIUS 0 0 00-12-cf-c7-4c-f2 NAS-Request 64.186.195.50 0 2 00-12-cf-c7-4c-f22 24acff6ce9b251c3 =7bam=3d1=7dd333c622e88b4bbf996e8b96c9850...@example.comexample.com 172.16.4.2 2009-12-07 08:56:41 2009-12-07 09:00:08 207 RADIUS 0 0 From what I can determine, the username is encrypted even though the authentication is done in clear text during the EAP authentication. David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Tuesday, December 15, 2009 9:13 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Accounting question David Peterson wrote: Radius is storing the accounting information using the EAP hashed username. What's an EAP hashed username ? Is there a way to change it to store the clear text username with the accounting info? Sure. Send a User-Name attribute in the Access-Accept, and the NAS *should* send that back in the Accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
I added that attribute in the access-accept and I see it going to the NAS. However the NAS still returns accounting information with the =7bam=3d1=7dd333c622e88b4bbf996e8b96c9850...@example.com format. David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Tuesday, December 15, 2009 9:13 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Accounting question David Peterson wrote: Radius is storing the accounting information using the EAP hashed username. What's an EAP hashed username ? Is there a way to change it to store the clear text username with the accounting info? Sure. Send a User-Name attribute in the Access-Accept, and the NAS *should* send that back in the Accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
hi, those look like chargeable user identities - do you have CUI operational on your config? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
David Peterson wrote: From what I can determine, the username is encrypted even though the authentication is done in clear text during the EAP authentication. It's not encrypted. My guess is that you are using WiMAX. As always, run the server in debugging mode to see what's going on. But if the NAS refuses to send a usable User-Name in an accounting packet, your only solution is to somehow write the *real* User-Name the hex stuff into an SQL table. Then, correlated them later when you receive the accounting packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
WiMax it is... If anyone has any experience with Alvarion WiMax please feel free to chime in. David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Tuesday, December 15, 2009 9:44 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Accounting question David Peterson wrote: From what I can determine, the username is encrypted even though the authentication is done in clear text during the EAP authentication. It's not encrypted. My guess is that you are using WiMAX. As always, run the server in debugging mode to see what's going on. But if the NAS refuses to send a usable User-Name in an accounting packet, your only solution is to somehow write the *real* User-Name the hex stuff into an SQL table. Then, correlated them later when you receive the accounting packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
David Peterson wrote: WiMax it is... If anyone has any experience with Alvarion WiMax please feel free to chime in. Uhh... it would be good for them to follow the specs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going on.
But if the NAS refuses to send a usable User-Name in an accounting
packet, your only solution is to somehow write the *real* User-Name
the hex stuff into an SQL table. Then, correlated them later when you
receive the accounting packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
The hex stuff is the NAS appending 31 null chars to the session id.
FreeRADIUS is converting the unprintable characters into escape codes so that
they're visible.
The RFC recommendation is that:
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
Which SHOULD limit it to printable chars.
Really this is something your NAS vendor should fix, as it's a bug in their
code.
...Though if you really want you can trim off the superfluous nulls with:
if(Acct-Session-ID =~ /(.*)/){
update request {
Acct-Session-ID := %{1}
}
}
-Arran
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going on.
But if the NAS refuses to send a usable User-Name in an accounting
packet, your only solution is to somehow write the *real* User-Name
the hex stuff into an SQL table. Then, correlated them later when you
receive the accounting packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
Forgive my newbieness but where would I put that code? I tried adding it to
the sites-available/default file under accounting but I am guessing that's not
right.
David
-Original Message-
From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 10:56 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
The hex stuff is the NAS appending 31 null chars to the session id.
FreeRADIUS is converting the unprintable characters into escape codes so that
they're visible.
The RFC recommendation is that:
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
Which SHOULD limit it to printable chars.
Really this is something your NAS vendor should fix, as it's a bug in their
code.
...Though if you really want you can trim off the superfluous nulls with:
if(Acct-Session-ID =~ /(.*)/){
update request {
Acct-Session-ID := %{1}
}
}
-Arran
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going on.
But if the NAS refuses to send a usable User-Name in an accounting
packet, your only solution is to somehow write the *real* User-Name
the hex stuff into an SQL table. Then, correlated them later when you
receive the accounting packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting question
: Info: [sql] sql_set_user escaped user --
'{am=1}1f48c19b43c8c33846faa9cfc5899...@test.com'
Tue Dec 15 12:04:00 2009 : Info: [sql] expand: %{Acct-Delay-Time} -
Tue Dec 15 12:04:00 2009 : Info: [sql] expand:INSERT INTO radacct
(acctsessionid,acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime,acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid,
acctterminatecause, servicetype, framedprotocol,
framedipaddress, acctstartdelay, acctstopdelay,
xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}',
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
'%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0',
'%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{!
Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
Tue Dec 15 12:04:00 2009 : Debug: rlm_sql (sql): Reserving sql socket id: 3 Tue
Dec 15 12:04:00 2009 : Debug: rlm_sql_mysql: MYSQL check_error: 1048 received
Tue Dec 15 12:04:00 2009 : Error: [sql] Couldn't insert SQL accounting START
record - Column 'AcctStopTime' cannot be null Tue Dec 15 12:04:00 2009 : Info:
[sql] expand: %{Acct-Delay-Time} -
Tue Dec 15 12:04:00 2009 : Info: [sql] expand:UPDATE radacct SET
acctstarttime = '%S', acctstartdelay=
'%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}'
WHERE acctsessionid = '%{Acct-Session-Id}' AND username
= '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'
-UPDATE radacct SET acctstarttime = '2009-12-15
12:04:00', acctstartdelay= '0', connectinfo_start
= '' WHERE acctsessionid = '00-12-cf-c3-fb-8c7' AND
username = '=7bam=3d1=7d1f48c19b43c8c33846faa9cfc5899...@test.com'
AND nasipaddress = '172.16.4.2'
Tue Dec 15 12:04:00 2009 : Debug: rlm_sql (sql): Released sql socket id: 3 Tue
Dec 15 12:04:00 2009 : Info: ++[sql] returns ok
Tue Dec 15 12:04:00 2009 : Info: [attr_filter.accounting_response] expand:
%{User-Name} - {am=1}1f48c19b43c8c33846faa9cfc5899...@test.com
-Original Message-
From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 10:56 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
The hex stuff is the NAS appending 31 null chars to the session id.
FreeRADIUS is converting the unprintable characters into escape codes so that
they're visible.
The RFC recommendation is that:
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
Which SHOULD limit it to printable chars.
Really this is something your NAS vendor should fix, as it's a bug in their
code.
...Though if you really want you can trim off the superfluous nulls with:
if(Acct-Session-ID =~ /(.*)/){
update request {
Acct-Session-ID := %{1}
}
}
-Arran
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going
Re: Accounting question
On Tue, Dec 15, 2009 at 01:10:20PM -0500, David Peterson wrote:
What I am not understanding at this point is how the authentication works
with the username hashed or using hex stuff but the accounting
doesn't. You can see on this debug that the username looks the same when
its authenticated as it does when it's used for accounting yet the
username in the database is clear text.
rad_recv: Access-Request packet from host 172.16.4.2 port 1812, id=152,
length=192
User-Name = {am=1}1f48c19b43c8c33846faa9cfc5899...@test.com
Tue Dec 15 12:03:56 2009 : Info: [sql] sql_set_user escaped user --
'{am=1}1f48c19b43c8c33846faa9cfc5899...@test.com'
Tue Dec 15 12:03:56 2009 : Info: [wimax] WARNING: Not calculating MN-HA keys
Tue Dec 15 12:03:56 2009 : Info: ++[wimax] returns updated Sending
Access-Accept of id 152 to 172.16.4.2 port 1812
User-Name = t...@test.com
Tue Dec 15 12:03:56 2009 : Info: Finished request 7.
Looks like you get the clear User-Name only after you run the 'wimax'
module. Run it earlier?
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=13,
length=239
User-Name = {am=1}1f48c19b43c8c33846faa9cfc5899...@test.com
It doesn't look like you run the 'wimax' module during the processing of
accounting packets. Run it? :)
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
David Peterson wrote:
Forgive my newbieness but where would I put that code? I tried adding it to
the sites-available/default file under accounting but I am guessing that's not
right.
That'll stop any potential problems arising from the malformed Acct-Session-ID
yes.
Regarding the username, try putting the following in postauth.
update reply {
User-Name := 'testtest'
Class := 'testtest'
}
See if either of those values are included in accounting sessions. If they are
then there are ways to work around the User-Name in accounting packets.
-Arran
David
-Original Message-
From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk]
Sent: Tuesday, December 15, 2009 10:56 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
Here is the accounting packet information I am getting:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
length=239
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id =
00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
Framed-IP-Address = 64.186.195.5
User-Name = {am=1}33ac5579ce57217426e7434fa60e4...@test.com
Calling-Station-Id = 00-12-cf-c3-fb-8c
NAS-Identifier = WC_LAB
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x02030209
Framed-Pool = alias
Event-Timestamp = Dec 15 2009 09:04:15 CST
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
What I don't get is why the authentication works with clear text and the
accounting has the hex stuff. Is this pretty much controlled by the NAS?
The hex stuff is the NAS appending 31 null chars to the session id.
FreeRADIUS is converting the unprintable characters into escape codes so that
they're visible.
The RFC recommendation is that:
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters.
Which SHOULD limit it to printable chars.
Really this is something your NAS vendor should fix, as it's a bug in their
code.
...Though if you really want you can trim off the superfluous nulls with:
if(Acct-Session-ID =~ /(.*)/){
update request {
Acct-Session-ID := %{1}
}
}
-Arran
David
-Original Message-
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Tuesday, December 15, 2009 9:44 AM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
From what I can determine, the username is encrypted even though the
authentication is done in clear text during the EAP authentication.
It's not encrypted. My guess is that you are using WiMAX.
As always, run the server in debugging mode to see what's going on.
But if the NAS refuses to send a usable User-Name in an accounting
packet, your only solution is to somehow write the *real* User-Name
the hex stuff into an SQL table. Then, correlated them later when you
receive the accounting packet.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. In what circumstances are accounting packets sent from the NAS? How can I test to see whether the packets are being sent? What sort of information is supposed to be stored in radacct? -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Ian Truelsen wrote: When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. As the README and FAQ say: run the server in debugging mode. It will tell you if it's receiving accounting packets. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
On 4/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Ian Truelsen wrote: When I connect to my AP, authenticated by freeradius using EAP-TLS, I get an entry into radpostauth, entries in /var/log/radius/radacct/192.168.3.115/detail-auth and detail-reply files, but I am not getting any entries into radacct. I don't know whether this is because the NAS is not sending any accounting packets or my setup is not correct. However, since I am getting the entries into radpostauth, I think I must have the setup correct. As the README and FAQ say: run the server in debugging mode. It will tell you if it's receiving accounting packets. I did just that when I set up a Foundry test switch, and I noticed that I was getting (and entering into the database) authorization, but not accounting packets. I bit of digging in the docs later, and I was able to cobble up the incantation to tell the switch to send accounting information, too. I'd previously set up the correct ports, but it took additional commands to get the switch to _send_ the packets over the port. Check the docs for your NAS, specifically look for something like aaa accounting enable... or the like. You didn't say what vendor made your NAS, so guessing commands is going to be a bit difficult. -ethan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Chuck [EMAIL PROTECTED] wrote: would it also do the same thing if I removed the simultaneous-use=1 check statement from the user group? No. That's enforcement, not accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
we keep getting a lot of missed stop packets that we never had problems with when we ran icradius. I don't know what the problem could be but I am getting ready to turn accounting off for us. However I have a major concern with this. We are using the mysql option with freeradius including the nas table. We use a flat file, proxy.conf, for our remote realm configurations. We proxy for a number of remote realms running their own radius authentication and they receive accounting information we receive from our upstream passed on to them. If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? I just don't want to keep track of it locally until we can figure out what is causing this. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. I have also contacted our upstream provider and asked them to be sure all is well with what they pass us. We use 1645:1646 and have those ports in iptables to freely accept.. are there possibly other ports I should be putting in there? -- Chuck - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Chuck [EMAIL PROTECTED] wrote: If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? Yes. You can delete the detail and sql entries from accounting, and it won't log accounting to the local machine, but it will still proxy packets. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. Yes. That shouldn't affect anything, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
On Thursday 10 November 2005 05:44 pm, Alan DeKok wrote: would it also do the same thing if I removed the simultaneous-use=1 check statement from the user group? until i can figure this out that would be my easiest thing still allowing writing to accounting for other purposes. Chuck [EMAIL PROTECTED] wrote: If I turn accounting off, is there a way we can still pass accounting through to our remote realms, or is it a global on/off switch that affects everyone? Yes. You can delete the detail and sql entries from accounting, and it won't log accounting to the local machine, but it will still proxy packets. I do notice a number of error messages about 0 length stop packets being received and I assume they are rejected. Yes. That shouldn't affect anything, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Chuck Windows?? You mean the thirty-two bit extension and graphical shell to a sixteen-bit patch to an eight-bit operating system originally coded for a four-bit microprocessor which was written by a two-bit company that can't stand one bit of competition? Oh, that... -- Lee Clarke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
Hello,
I have a question regarding the way accounting is done. I configured
freeradius 1.0.1 with openssl and mysql support on a Fedora Core 3
system. I'm using it with PEAP and TLS for wireless authentication.
The authentication works fine, but the accounting packets are always
missing the username and the IPs of client and NAS seem to be
interchanged.
Here is a sample packet extracted from running radiusd with debugging:
rad_recv: Accounting-Request packet from host 192.168.30.11:1223,
id=211, length=182
Acct-Status-Type = Alive
Acct-Session-Id = 0002e3412adf-000e6ad5debc-b0e1
NAS-IP-Address = 192.168.30.34
Acct-Input-Octets = 10179
Acct-Output-Octets = 11165
Acct-Input-Packets = 47
Acct-Output-Packets = 97
Vendor-Specific = 0x45415020557365726e616d652069733a204a4f53455048
Vendor-Specific = 0x564c414e2049442069733a2030
Vendor-Specific = 0x4553534944203d2055746570736120486f742053706f74
Vendor-Specific = 0x45415020547970652069733a204541502d50454150
Acct-Session-Time = 63418
My question is Isn the NAS suppossed to be the wireless access
point? (in our case 192.168.30.11, not 192.168.30.34). Isn't the
client suppossed to be the computer from which the user authenticated?
(192.168.30.34 instead of .11). Is this just access point related? or
can I configure it in clients.conf?
The relevant portion of clients.conf looks like this:
client 192.168.30.0/24 {
secret = XX
shortname = wifiAP
}
Thanks for any help,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Hello, I think my question ist quite related to yours although we do EAP-TTLS, i.e. PAP inside the tunnel. I have a question regarding the way accounting is done. I configured freeradius 1.0.1 with openssl and mysql support on a Fedora Core 3 system. I'm using it with PEAP and TLS for wireless authentication. The authentication works fine, but the accounting packets are always missing the username and the IPs of client and NAS seem to be interchanged. - as for User-Name, freeradius normally logs the User-Name outside of the tunnel. Use use_tunneled_reply = yes in the relevant portion of eap.conf (thanks to Michael Poser) - IP-Address is a bit more nasty: NAS-IP-Address should indeed indicate the IP Address of your wireless AP and may be used in alternation with NAS-Identifier AFAIK, Client-IP-Address refers to a RADIUS client, i.e. your AP or a RADIUS proxy server The WLAN supplicant's IP-Address never shows up, simply because there is none, at least not at the time of authentication. The entire 802.1x authentication is done on the link layer, i.e. layer 2. In theory, the wireless client could go ahead and talk IPX, DECNET, AppleTalk or whatever protocols are available. In practice, however, the vast majority of WLAN CLients nowadays will use IP and IPv4 in particular -- and of course, you need the assigned IP addresses in your logfile (at least we do). Most sites will hand out these addresses via DHCP after the authentication is done. So I'm going to cook up some simple perl programs to integrate ISC dhcpd's logfiles with those from freeradius' and probably simulate a Framed-IP-Address in the detail file. What' a bit funny: Our Cisco AP _does_ record supplicant's IP addresses internally, you can view them with some IOS command. It would indeed be convenient to make it send the address along with every Accounting STOP-Packet, but as of yet we haven't found a way. Any comments or suggestions on this? Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Joseph Abadi [EMAIL PROTECTED] wrote: The authentication works fine, but the accounting packets are always missing the username and the IPs of client and NAS seem to be interchanged. See the FAQ. The server logs what the NAS sends it. If the NAS sends the wrong thing, the server logs it. Your NAS is broken. Vendor-Specific = 0x45415020557365726e616d652069733a204a4f53455048 Vendor-Specific = 0x564c414e2049442069733a2030 Vendor-Specific = 0x4553534944203d2055746570736120486f742053706f74 Vendor-Specific = 0x45415020547970652069733a204541502d50454150 Your NAS is *really* broken. That's stupid. Complain to them that their product doesn't do RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius accounting question
Hello, I have compiled and installed freeradius and it is working fine. My question now is: At this point a user logs in with a password, is authenticated and enters the system but if I want to set user x to only have 2 hours connection time only and user y to only have 1 hour of connection, how can I do this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius accounting question
[EMAIL PROTECTED] wrote: Hello, I have compiled and installed freeradius and it is working fine. My question now is: At this point a user logs in with a password, is authenticated and enters the system but if I want to set user x to only have 2 hours connection time only and user y to only have 1 hour of connection, how can I do this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Use counter module, --- Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius accounting question
Hi, is it possible to use counter module to kick off users after their limit is reached? Do anyone have an idea how this could be realized? Regards, Edvin Seferovic -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 10. Mai 2005 19:45 To: freeradius-users@lists.freeradius.org Subject: RE: Freeradius accounting question [EMAIL PROTECTED] wrote: Hello, I have compiled and installed freeradius and it is working fine. My question now is: At this point a user logs in with a password, is authenticated and enters the system but if I want to set user x to only have 2 hours connection time only and user y to only have 1 hour of connection, how can I do this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Use counter module, --- Miguel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius accounting question
My guess would be that you need to set the Session-Timeout variable. 2 hours would be 7200 and 1 hour would be 3600. hope this helps. Andrey Quoting Software Development Group [EMAIL PROTECTED]: Hello, I have compiled and installed freeradius and it is working fine. My question now is: At this point a user logs in with a password, is authenticated and enters the system but if I want to set user x to only have 2 hours connection time only and user y to only have 1 hour of connection, how can I do this? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius accounting question
[EMAIL PROTECTED] wrote:
My guess would be that you need to set the Session-Timeout
variable.
hope this helps.
Andrey
Yes, it will help, im using it on production, the counter module sets the
Session-Timeout automatically
i.e.
keciel# cat radiusd.conf
[... blablabla ...]
sqlcounter webcards_counter {
counter-name = Max-All-Session
check-name = Max-All-Session
sqlmod-inst = sql
key = User-Name
reset = never
query = SELECT SUM(AcctSessionTime)
FROM radacct_stop
WHERE UserName='%{%k}'
AND servicetype = 'Framed-User'
}
autohrize {
[... blablabla ...]
webcards_counter
}
Im using mysql but you can do it in user file instead, just create the
usergroup/username mapping and set the radgroupcheck validation:
mysql select * from usergroup where groupname = 'pp_webcard_5h';
+---++---+
| id| UserName | GroupName |
+---++---+
| 112 | cs11873458 | pp_webcard_5h |
+---++---+
mysql select * from radgroupcheck where attribute = 'Max-All-Session';
++-+-+++
| id | GroupName | Attribute | op | Value |
++-+-+++
| 44 | pp_webcard_5h | Max-All-Session | := | 18000 |
++-+-+++
So the UserName cs11873458 is allowed to connect only 5 hours, the counter
will sum all the connectiontime used until it reaches this time (18000
secs), and sets Session-Timeout = 18000 - sum(connecttiotime), the nas will
drop the connecttion automatically.
Hope this helps, BTW, this is not the right place to start with linux, you
need some good admin skills to understand these advanced configurations
--
Miguel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius accounting question
Hi. I just resubscribed to the mailinglist and found that topic unanswered. You can accomplish that in two ways. One is with counter module and one with SQL which uses sqlcounter module. The sqlcounter needs the experimental modules to be compiled in. I use MySQL to store my users's info so for me the natural way was to use the sqlcounter module. Follow this howto http://www.lh.freeradius.org/radiusd/doc/rlm_sqlcounter If you want to use groups instead of adding individual attributes to each of the users, add e.g. Max-Daily-Session to the radgroupcheck table instead of radcheck. INSERT INTO `radgroupcheck` VALUES (1,'02hours','Max-Daily-Session',':=','7200'); Then add your users to the 02hours group. Be sure to add Session-Timeout with the same value to the radgroupreply table as well. An example: INSERT INTO `radgroupreply` VALUES (1,'02hours','Framed-Protocol',':=','ppp',0), (2,'02hours','Framed-IP-Address',':=','255.255.255.254',0), (3,'02hours','Framed-IP-Netmask',':=','255.255.255.255',0), (4,'02hours','Service-Type',':=','Framed',0), (5,'02hours','Session-Timeout',':=','7200',0), (6,'02hours','Termination-Action',':=','Your Session Has Been Terminated',0), (7,'02hours','Port-Limit',':=','1',0), (8,'02hours','Reply-Message',':=','Hello %u',0); Works like a charm on FreeBSD and Linux. My radius config for Linux: http://www.yazzy.org/configs/linux/radiusd.conf -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi, I have a question about radius, Is there anyone on this list that can help? I'm sure this is a very common request. I have a situation where radius accounting is logged to a mysql database. I'd like to find a way to show the accurate number of users that are currently online. Up till now this has been done by querying the database to find entries in the radacct table that have value 0 for AccountStopTime. However there are quite a number of entries in this 'radacct' table that have the 0 as AccountStopTime but are not active sessions. What would be a way to get just the sessions that are active? kind regards, Luke -- ._ :| .| |.|/.|_ :|__.|_|.|\.|_ :0421 276 282. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
I think radwho can accomplish this request -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 9:38 AM To: freeradius-users@lists.freeradius.org Subject: accounting question Hi, I have a question about radius, Is there anyone on this list that can help? I'm sure this is a very common request. I have a situation where radius accounting is logged to a mysql database. I'd like to find a way to show the accurate number of users that are currently online. Up till now this has been done by querying the database to find entries in the radacct table that have value 0 for AccountStopTime. However there are quite a number of entries in this 'radacct' table that have the 0 as AccountStopTime but are not active sessions. What would be a way to get just the sessions that are active? kind regards, Luke -- ._ :| .| |.|/.|_ :|__.|_|.|\.|_ :0421 276 282. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html * The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. * PALTEL E-Safety System scanned this email and found NO viruses, vandals or malicious content. * Should you need any information or clarifications regarding this system, please do not hesitate to contact our team at the IP Dep. [EMAIL PROTECTED]. * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question
Hello, I have successfully installed radius. It is working very nice. Great job. I have following question. I would like to do accounting. So every dial-up user will be able to go on line only for 60 minutes. Then when he uses his limit he should not be able to go on line any more? Is it possible to set up this ? If yes please could you point me where I can find some help how to set it up. PS login accounting from my NAS is already working. Bartosz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Bartosz Jozwiak [EMAIL PROTECTED] wrote: I have successfully installed radius. It is working very nice. Great job. Thank you. I have following question. I would like to do accounting. So every dial-up user will be able to go on line only for 60 minutes. Then when he uses his limit he should not be able to go on line any more? Is it possible to set up this ? If yes please could you point me where I can find some help how to set it up. Yes. See rlm_counter, which has a man page in 1.0.0-pre3, and comments in radiusd.conf which describe how to configure test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question
Do I need to recompile freeradius with: ./configure --with-experimental-modules To make use of rlm_sqlcounter ? I have the 1.0.0-pre3 version. Bartosz Bartosz Jozwiak [EMAIL PROTECTED] wrote: I have successfully installed radius. It is working very nice. Great job. Thank you. I have following question. I would like to do accounting. So every dial-up user will be able to go on line only for 60 minutes. Then when he uses his limit he should not be able to go on line any more? Is it possible to set up this ? If yes please could you point me where I can find some help how to set it up. Yes. See rlm_counter, which has a man page in 1.0.0-pre3, and comments in radiusd.conf which describe how to configure test it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting question for EAP-TTLS for Pre 2
Hi all, I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? Please help! Thanks, Michael _ Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! http://join.msn.click-url.com/go/onm00200362ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
Michael Ding [EMAIL PROTECTED] wrote: I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The detail module logs only accounting requests, and when you send a CHAP authentication request using radtest, it doesn't send an accounting request. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
A followup for all... I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless Router) that sends the Radius Accounting information to the Radius Server - to date I have NOT found any of the inexpensive WAP or WRT devices which send the accounting information to the Radus Server... If anyone knows of such a critter I would be very interested as I have several applications that can use the accounting information! I suspect if we all start asking for such functionality the vendors might start putting the feature in the NAS devices Just a thought (I bug them once a week myself!) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 09:30:00 -0400 Michael Ding [EMAIL PROTECTED] wrote: I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The detail module logs only accounting requests, and when you send a CHAP authentication request using radtest, it doesn't send an accounting request. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting question for EAP-TTLS for Pre 2
How much is inexpensive? At home, I use a D-Link DWL 7000AP (an a/b/g access point with 802.1x and WPA) that generated RADIUS accounting information. Gary McKinney wrote: A followup for all... I have been looking for an inexpensive WAP (Wireless Access Point) or WRT (Wireless Router) that sends the Radius Accounting information to the Radius Server - to date I have NOT found any of the inexpensive WAP or WRT devices which send the accounting information to the Radus Server... If anyone knows of such a critter I would be very interested as I have several applications that can use the accounting information! I suspect if we all start asking for such functionality the vendors might start putting the feature in the NAS devices Just a thought (I bug them once a week myself!) Gary N. McKinney Network Administrator Computer Services Dept. Brevard County Library System -- Original Message -- From: Alan DeKok [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 15 Jun 2004 09:30:00 -0400 Michael Ding [EMAIL PROTECTED] wrote: I have been play with FreeRadius for a few weeks in the following enviroment: Funk Software Odyssey Client + Belken wireless router + FreeRadius 1.0.0 Pre2. Finally, I get the system working last night, but I found out a problem with accounting file. I turn on detail, auth_detail and reply_detail files. But only auth_detail reply_detail is generated when EAP-TTLS is used. I used radtest with CHAP, I found all 3 files are generated. No, you didn't. The detail module logs only accounting requests, and when you send a CHAP authentication request using radtest, it doesn't send an accounting request. Is this a desire behavior for EAP-TTLS? If so, how do I generate billing info for my wireless usage? See the FAQ. Your NAS has to send accounting information for the server to be able to log it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
an idea: turn log_auth_badpass = on and write a shellscript which read out the logfile and delete the user who tried to login with a bad pazzword. i wrote a similar script to delete users by expiring date, using sed. ciao marc werner Am Dienstag, 23. März 2004 08:47 schrieb Tim Bots: As I am trying to tell is that my nas CAN disconnect users and block them from that time on. The only thing is that freeradius doesn't log this and as soon as they are logged out they can login again and the user gets again 5 hours. This is not a thing I like. I guess that I have to use a database or something to log this. I hope someone can help me, Tim Bots -- Marc Werner [EMAIL PROTECTED] ICQ#190044536 http://tuxxy.in.itzehoe.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: accounting question
I guess this is a bad idea, because I can't write shell-script's ant I don't like the idea of deleting users when their time is over. An example: I want to have a few users that have 1 hour the time and they log in with their browser. Some other users may have 2 hours and some may have another time. When their time is over my nas will disconnect them. I also have a few devices witch can't logon with a web-browser but they log on with their MAC-adress (username = MAC) and they may have infinite time to the internet. I hope someone can help me Tim Bots -Oorspronkelijk bericht- Van: Marc Werner [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, March 23, 2004 9:22 Aan: [EMAIL PROTECTED] Onderwerp: Re: accounting question an idea: turn log_auth_badpass = on and write a shellscript which read out the logfile and delete the user who tried to login with a bad pazzword. i wrote a similar script to delete users by expiring date, using sed. ciao marc werner Am Dienstag, 23. März 2004 08:47 schrieb Tim Bots: As I am trying to tell is that my nas CAN disconnect users and block them from that time on. The only thing is that freeradius doesn't log this and as soon as they are logged out they can login again and the user gets again 5 hours. This is not a thing I like. I guess that I have to use a database or something to log this. I hope someone can help me, Tim Bots -- Marc Werner [EMAIL PROTECTED] ICQ#190044536 http://tuxxy.in.itzehoe.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
Please Note: Radius does NOT disconnect users, only the NAS can disconnect the user. You will need to figure out how to send a command to your NAS to disconnect the user, and run that program in order to trigger a user disconnect. Graeme Hinchliffe wrote: On Tue, 16 Mar 2004 16:17:03 +0100 Tim Bots [EMAIL PROTECTED] wrote: Hi everyone, I have freeradius working correct at this moment and now is my question how can I enable accounting? I mean: how can I give users more or less time / more or less session bytes with freeradius? I use freeradius version 0.9.3 running on a p1 with 64 mb memory (I guess) with linux slackware. This works perfect. I hope someone can help me, The only way it's possible that I can think of is by doing some crazy hackery. Assuming you get interim accounting updates and monitor these, when they hit a certain level (which you have defined as your cut off) you can trigger a user disconnect, and flag them as unallowed, so they cannot auth again. But this will require hackery on your part, and a dependence on decent accounting updates -- Guy Fraser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: accounting question
Tim Bots [EMAIL PROTECTED] wrote: The thing is that my hotspot can kill/logoff users when they have reached a certain amount of time/data transfer. The standard time that users get when they logon when I use freeradius is 5 hours. Is there a way to change this time? Yes. See the Session-Timeout attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
Hi everyone, I have freeradius working correct at this moment and now is my question how can I enable accounting? I mean: how can I give users more or less time / more or less session bytes with freeradius? I use freeradius version 0.9.3 running on a p1 with 64 mb memory (I guess) with linux slackware. This works perfect. I hope someone can help me, Tim Bots - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: accounting question
Hi everyone, The thing is that my hotspot can kill/logoff users when they have reached a certain amount of time/data transfer. The standard time that users get when they logon when I use freeradius is 5 hours. Is there a way to change this time? I hope someone can help me, Tim Bots -Oorspronkelijk bericht- Van: Graeme Hinchliffe [mailto:[EMAIL PROTECTED] Verzonden: Tuesday, March 16, 2004 17:43 Aan: [EMAIL PROTECTED] Onderwerp: Re: accounting question On Tue, 16 Mar 2004 16:17:03 +0100 Tim Bots [EMAIL PROTECTED] wrote: Hi everyone, I have freeradius working correct at this moment and now is my question how can I enable accounting? I mean: how can I give users more or less time / more or less session bytes with freeradius? I use freeradius version 0.9.3 running on a p1 with 64 mb memory (I guess) with linux slackware. This works perfect. I hope someone can help me, The only way it's possible that I can think of is by doing some crazy hackery. Assuming you get interim accounting updates and monitor these, when they hit a certain level (which you have defined as your cut off) you can trigger a user disconnect, and flag them as unallowed, so they cannot auth again. But this will require hackery on your part, and a dependence on decent accounting updates -- - Graeme Hinchliffe (BSc) Core Team Member Zen Internet (http://www.zen.co.uk) ICQ 3842605 (link) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql accounting question
Hi! I see messages like this in radius.log: Sun Jan 11 13:00:06 2004 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 When it happens, the accounting will be continous or this message indicates lost data? Thanks, Andras -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mysql accounting question
hi This error indicates of a slow MYSQL machine Do you have a big radacct table? Cheers ~~ Mustafa N. Deeb Technical Director Palnet Communications Ltd. Tel: +970-2-2403434 Fax: +970-2-2403430 www.palsms.com www.paltime.net www.palnet.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fogarasi Andras Sent: Sunday, January 11, 2004 2:08 PM To: [EMAIL PROTECTED] Subject: mysql accounting question Hi! I see messages like this in radius.log: Sun Jan 11 13:00:06 2004 : Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to connect 0 When it happens, the accounting will be continous or this message indicates lost data? Thanks, Andras -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
