Accounting-Start packet question
so i've read through the O'Reilly _Radius_ book, the FAQ for FreeRADIUS, and browsed the list's archive, but i still i have a relatively basic question that just needs some clarification. Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). if a NAS hasn't implemented the full AAA architecture ( i.e. only supports RADIUS for authentication but not for accounting ), then the only way to get the Accounting-Request packet is to hae the end-user send it ( which is, IMHO, an unreliable method ), correct? is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? thanks brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
At 12:27 PM 12/2/2003, Brian Clarkson wrote: so i've read through the O'Reilly _Radius_ book, the FAQ for FreeRADIUS, and browsed the list's archive, but i still i have a relatively basic question that just needs some clarification. Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). No, it will be the NAS, it will not be the end-user. if a NAS hasn't implemented the full AAA architecture ( i.e. only supports RADIUS for authentication but not for accounting ), then the only way to get the Accounting-Request packet is to hae the end-user send it ( which is, IMHO, an unreliable method ), correct? No. The Radius Server will only accept AAA from known 'clients'. This will be the device or process that talks to the Radius server ( either a NAS, AP, or other ). It will *not* be the end-user. If the NAS/AP doesn't send it, you don't get it. is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? Yes. Look at the 'radzap' program. It functions by sending a spoofed 'Stop' packet to the server. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
Chris Parker wrote: At 12:27 PM 12/2/2003, Brian Clarkson wrote: Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). No, it will be the NAS, it will not be the end-user. that's what i thought ... but the 'client' definition almost makes it sound as any client though the chain of clients could send the packet. If the NAS/AP doesn't send it, you don't get it. is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? Yes. Look at the 'radzap' program. It functions by sending a spoofed 'Stop' packet to the server. i fail to understand how a spoofed 'stop' packet will actually start the accounting process. but this hits another issue i was having. my test user sucessfully authenticated but hasn't been 'kicked off' the network -- even though i've restarted the radius server *and* rebooted the NAS. ( a Buffalo AP in this case ). would the user not be disconnected because of the lack of stop packet? --b-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
At 12:46 PM 12/2/2003, Brian Clarkson wrote: Chris Parker wrote: At 12:27 PM 12/2/2003, Brian Clarkson wrote: Accounting-Start packets are sent by the client ( which could be either the NAS or the end-user in the case of wireless auth, which is what i'm doing ). No, it will be the NAS, it will not be the end-user. that's what i thought ... but the 'client' definition almost makes it sound as any client though the chain of clients could send the packet. No, the chain of communication can't be side-stepped. End-user can talk to NAS can talk to Radius Server. Beyond the immediate clients, there is no chain of trust or state that would allow End-user - Radius server direct communication. If the NAS/AP doesn't send it, you don't get it. is there some kind of way around this, like faking an Accounting-Start in the radgroupreply table ( in MySQL )? Yes. Look at the 'radzap' program. It functions by sending a spoofed 'Stop' packet to the server. i fail to understand how a spoofed 'stop' packet will actually start the accounting process. but this hits another issue i was having. my test user sucessfully authenticated but hasn't been 'kicked off' the network -- even though i've restarted the radius server *and* rebooted the NAS. ( a Buffalo AP in this case ). would the user not be disconnected because of the lack of stop packet? I was simply pointing that out as you asked how to fake an Accounting Start packet. That program sends an Accounting Stop. It is a trivial modification to make it send a different packet type. Is there a particular problem you are trying to solve? It might be better to spell out your problem, and listen to the proposed solutions than trying to jump straight to a solution as the one you see may not be perhaps the 'best' for your particular problem. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Start packet question
Chris Parker wrote: Is there a particular problem you are trying to solve? It might be better to spell out your problem, and listen to the proposed solutions than trying to jump straight to a solution as the one you see may not be perhaps the 'best' for your particular problem. there are 2 specific problems i'm trying to solve. 1. it seems the NAS i'm using ( a Buffalo AirStation Pro http://www.buffalotech.com/wireless/products/airstationpro/WLMRL11G.html ) doesn't support the accounting side of the RADIUS suite. i never saw any Accounting-Start packets from the NAS while testing client authentication. i do have EAP-TLS running with MS-CHAP. 2. during testing, I didn't have the DEFAULT: Access-Accept turned off somewhere. as a result, the test user that did authenticate never showed up in the radacct tables, in the detail files, or anywhere ... but i did see the authentication packets while watching the logfile. the side effect -- restarting both the RADIUS server and the NAS didn't kick the user off. and radwho doesn't show this test user logged in. ( it's an internal user, so i'm not too worried about it ) testing via NTRadPing works fine. denies non-users, etc. it's just this still-connected user - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html