Lo all,
I'm doing VPN authentication with Free Radius, and use allot of FreeBSD /
PPPD processes to manage the VPNs in regards to actual connectivity.
Obviously, freeradius is used for all authentication / accounting, and it is
working pretty well... :)
I upgraded to .9 a while ago, and somewhere, there was more debug
information added to the source. All of a sudden, I saw why certain things
that didn't work on .8 didn't work... Unfortunately, after playing
extensively with .9, I still can't seem to find a way to fix this.. So here
goes.
FreeBSD's PPP Process sends this back to the radius server (acct start):
rad_recv: Accounting-Request packet from host 192.168.1.1:3969, id=223,
length=149
User-Name = "[EMAIL PROTECTED]"
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.255.254.215
Framed-IP-Netmask = 255.255.255.255
NAS-Identifier = "my.nas.hostname"
NAS-Port-Type = Virtual
Acct-Status-Type = Start
Acct-Session-Id = "[EMAIL PROTECTED]"
Acct-Multi-Session-Id = ""
Acct-Delay-Time = 0
...
This is very interesting, and for many months looked more than fine to me.
HOWEVER, Freeradius is now complaining (especially radutmp and rlm_ippool)
that there is no NAS-Port-ID specified (which, I can COMPLETELY understand).
The problem is, I cannot "force" PPPD to send this attribute - they are all
hard coded by the FreeBSD Developers....
I have a huntgroup for all my authentication requests coming from these VPN
based services, but still, I was unable to specify this acct attribute on a
DEFAULT entry anywhere... Tried specifying in the huntgroups files,
acct_users, and users file - with no luck. Which, I can also semi
understand.
So the question really, is how / where can I add a default NAS-Port-ID acct
attribute to freeradius, so that the attribute is only added on my specific
huntgroup, and only if it is not already specified? The VPN services makes
use of virtual ports (as indicated in the acct start packet), so I don't
foresee any immediate problems by making all the ports per default 0 or
something. The actual port number's not important to me here, what matters,
is that rlm_ippool and radutmp works and records the logging information
correctly....
Snippets from the logs...
huntgroups: Matched PPTP at 39
users: Matched DEFAULT at 5
modcall[authorize]: module "files" returns ok
...
Login OK: [EMAIL PROTECTED] (from client nasX port 0)
modcall: entering group post-auth
rlm_ippool: Could not find port information.
modcall[post-auth]: module "pptp_pool" returns noop
modcall: group post-auth returns noop
Sending Access-Accept of id 134 to 192.168.1.1:4113
...
rad_recv: Accounting-Request packet from host 192.168.1.1:4116, id=63,
length=149
huntgroups: Matched PPTP at 39
acct_users: Matched DEFAULT at 28
modcall[preacct]: module "files" returns ok
modcall: group preacct returns ok
modcall: entering group accounting
rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request,
unique ID MAY be inconsistent
...
radius_xlat: '[EMAIL PROTECTED]'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module "radutmp" returns noop
...
my acct_users looks like:
DEFAULT Service-Type == Framed-User, Huntgroup-Name == PPTP
NAS-Port == 0
huntgroups:
PPTP NAS-IP-Address == 192.168.1.1, NAS-Port-Type = Virtual
Framed-Protocol == PPP,
Service-Type == Framed-User
users:
DEFAULT Service-Type == Framed-User, Huntgroup-Name == PPTP
NAS-Port == 0,
Fall-Through == Yes
Thanks,
--
me
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
