Re: empty preacct and accounting section
Signup_mail2002 yahoo.com> writes: > > I will double check them when I get back to my machine. I think I know what you mean. Will report back. > > > On Sep 25, 2013, at 4:38 PM, Alan Buxey lboro.ac.uk> wrote: > > > > As the msg says. Your preacct {} and accounting {} sections in your server are not configured to do > anything. Add active modules to them eg a database call and things will be different. > > > > alan > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > You guys are correct. In my zealous attempt to use virtual servers I forgot to define a global rules since I put all rules under two different server{} sections. All I have to do is to add one more virtual server for accounting (or a global catch all). It really didn't occur to me immediately. I looked at the code then made the connection. It's working now. I just copy pasted preacct and accounting section to the global level and everything is fine again. I assume I can trim the other server{} section to contain only non accounting conf? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
> Are you saying my default file has these sections as empty? Or that the vpn > clients are sending empty data? Sections. As the Warning clearly states, sections. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
I will double check them when I get back to my machine. I think I know what you mean. Will report back. > On Sep 25, 2013, at 4:38 PM, Alan Buxey wrote: > > As the msg says. Your preacct {} and accounting {} sections in your server > are not configured to do anything. Add active modules to them eg a database > call and things will be different. > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
> On Sep 25, 2013, at 4:33 PM, Arran Cudbard-Bell > wrote: > > >> On 25 Sep 2013, at 21:20, WorkingMan wrote: >> >> I have been seen this weird message for two days now. I setup PPTP and IPSec >> (ikev1) with freeradius + mysql. >> >> In both cases I see Access-Acccept and in Accounting-Request I see these two >> message: >> >> WARNING: Empty preacct section. Using default return values. >> WARNING: Empty accounting section. Using default return values. > > Would it surprise you if I said it was because the server processing the > Accounting-Request had an Empty preacct and empty accounting section? > >> ignoring request with ID , already processing >> retransmitting RADIUS message >> ... #goes on for a while for IPSec, only twice for PPTP >> RADIUS is not responding > > Could you provide the full debug (radiusd -X). > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Are you saying my default file has these sections as empty? Or that the vpn clients are sending empty data? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
As the msg says. Your preacct {} and accounting {} sections in your server are not configured to do anything. Add active modules to them eg a database call and things will be different. alan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
On 25 Sep 2013, at 21:20, WorkingMan wrote: > I have been seen this weird message for two days now. I setup PPTP and IPSec > (ikev1) with freeradius + mysql. > > In both cases I see Access-Acccept and in Accounting-Request I see these two > message: > > WARNING: Empty preacct section. Using default return values. > WARNING: Empty accounting section. Using default return values. Would it surprise you if I said it was because the server processing the Accounting-Request had an Empty preacct and empty accounting section? > ignoring request with ID , already processing > retransmitting RADIUS message > ... #goes on for a while for IPSec, only twice for PPTP > RADIUS is not responding > Could you provide the full debug (radiusd -X). Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
empty preacct and accounting section
I have been seen this weird message for two days now. I setup PPTP and IPSec (ikev1) with freeradius + mysql. In both cases I see Access-Acccept and in Accounting-Request I see these two message: WARNING: Empty preacct section. Using default return values. WARNING: Empty accounting section. Using default return values. I have no clue where it's wrong. PPTP can connect but IPSec connection would just keep sending Accounting-Request and never connects (it looks like connection depends on this step). The obvious consequence of this is that there is no accounting info in the DB (due to above warning). I did have success when configuring both separately before. When I combine both together it seems to always cause issue. I am sure it's a configuration issue but I just can't see where the problem is. I saw a post related to this before but it had no resolution other than telling OP that his configuration was wrong. One hint I have is the following log but I don't know what's the cause of it. ignoring request with ID , already processing retransmitting RADIUS message ... #goes on for a while for IPSec, only twice for PPTP RADIUS is not responding Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran - Ignore my 'What would happen to the FreeRADIUS processes…" question - I meant to delete that before sending my message. On Sep 5, 2013, at 9:34 PM, Chris Decker wrote: > Arran, > > Thank you for taking the time to so clearly lay things out - it seems like > rlm_replicate will do exactly what we want! > > I'm going to look into using redis, as it is supported by logstash > out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed > delivery'. What would happen to the FreeRADIUS processes should my client be > unable to connect back to the redis 'server' (for whatever reason) for an > extended period of time? Also, should I be nervous about using the redis > module in production given the 'Experimental' redis module description in the > 2.1.1 changelog? > > > > > Thanks, > Chris > > > P.s. My apologies for replying via the digest - you replied before I had time > to switch off of digests. > > > >> Date: Thu, 5 Sep 2013 19:11:35 +0100 >> From: Arran Cudbard-Bell >> To: FreeRadius users mailing list >> >> Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations >> Simultaneously >> Message-ID: >> Content-Type: text/plain; charset=us-ascii >> >> >> On 5 Sep 2013, at 18:29, Chris Decker wrote: >> >>> All, >>> >>> I could use some help in understanding my options for the following >>> scenario: >>> In our environment, FreeRADIUS currently writes its Accounting logs to the >>> local drive - one file per authorized client. In addition to the local >>> logging, the Security group wants the Accounting logs sent to their logging >>> cluster (in real-time) so they can put them in their elasticsearch database >>> and respond to incidents. >> >> Well you don't want the main log file from the daemon which makes it easier. >> That can only go to one place. >> >> There are four types modules you could use for this: >> - linelog >> - detail >> - replicate >> - the db modules (ldap, sql, redis) >> >> Linelog can log to files or syslog, you construct the format lines using >> static text and attributes. >> Detail can only log to files, it just dumps the contents of an attribute >> list to a file. >> Replicate fires and forgets a copy of the Accounting-Request to a remote >> server. >> The DB modules just log to a table. >> >> You can list any combination of those modules in the accounting section of >> the server to write to multiple destinations. >> >> It's generally sensible to log one copy of the accounting packets to disk on >> the box it was received, most people use the detail module for this. >> >> For the other consumers, if they want off-box logging and don't want syslog, >> forward them a copy of the packet using rlm_replicate. This copies the >> incoming packet to another destination. It doesn't block, and doesn't wait >> for a response, meaning it will be affected by packet loss. But that >> shouldn't be an issue on a campus network if you set the QoS priorities >> correctly, and hey, at least no congestive failure. >> >> For consuming those packets at the other end, you can use another instance >> of FreeRADIUS (and configure it to not responsd), or radsniff can be used to >> pick them off the wire with libpcap, and output them in something very >> similar to detail format. >> >> I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is >> released (were currently in feature freeze, so I needed something to hack >> on). So if you want additional features like outputting packet 'signatures' >> to syslog, and are willing to test the code then I'd be happy to add it in. >> >>> My question: What is the best way to make both the Ops and Security groups >>> happy given the below limitations: >>> - The Security group does not want to pull the logs from MySQL, as they >>> want to use logstash/elasticsearch and this would just complicate things. >> >> Yeah and who wants to manage SQL tables with millions of rows, eww. >> >>> - The Ops group wants to avoid syslog because they fear syslog could block, >>> causing their production FreeRADIUS servers to eventually stop responding >>> to requests. >> >> >> Ok. >> >>> The options we are exploring, in order of preference: >>> 1. "
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Arran, Thank you for taking the time to so clearly lay things out - it seems like rlm_replicate will do exactly what we want! I'm going to look into using redis, as it is supported by logstash out-of-the-box and I'm guessing I'll get the benefit of 'guaranteed delivery'. What would happen to the FreeRADIUS processes should my client be unable to connect back to the redis 'server' (for whatever reason) for an extended period of time? Also, should I be nervous about using the redis module in production given the 'Experimental' redis module description in the 2.1.1 changelog? Thanks, Chris P.s. My apologies for replying via the digest - you replied before I had time to switch off of digests. > Date: Thu, 5 Sep 2013 19:11:35 +0100 > From: Arran Cudbard-Bell > To: FreeRadius users mailing list > > Subject: Re: FreeRADIUS Accounting Logging to Two Separate Locations > Simultaneously > Message-ID: > Content-Type: text/plain; charset=us-ascii > > > On 5 Sep 2013, at 18:29, Chris Decker wrote: > >> All, >> >> I could use some help in understanding my options for the following scenario: >> In our environment, FreeRADIUS currently writes its Accounting logs to the >> local drive - one file per authorized client. In addition to the local >> logging, the Security group wants the Accounting logs sent to their logging >> cluster (in real-time) so they can put them in their elasticsearch database >> and respond to incidents. > > Well you don't want the main log file from the daemon which makes it easier. > That can only go to one place. > > There are four types modules you could use for this: > - linelog > - detail > - replicate > - the db modules (ldap, sql, redis) > > Linelog can log to files or syslog, you construct the format lines using > static text and attributes. > Detail can only log to files, it just dumps the contents of an attribute list > to a file. > Replicate fires and forgets a copy of the Accounting-Request to a remote > server. > The DB modules just log to a table. > > You can list any combination of those modules in the accounting section of > the server to write to multiple destinations. > > It's generally sensible to log one copy of the accounting packets to disk on > the box it was received, most people use the detail module for this. > > For the other consumers, if they want off-box logging and don't want syslog, > forward them a copy of the packet using rlm_replicate. This copies the > incoming packet to another destination. It doesn't block, and doesn't wait > for a response, meaning it will be affected by packet loss. But that > shouldn't be an issue on a campus network if you set the QoS priorities > correctly, and hey, at least no congestive failure. > > For consuming those packets at the other end, you can use another instance of > FreeRADIUS (and configure it to not responsd), or radsniff can be used to > pick them off the wire with libpcap, and output them in something very > similar to detail format. > > I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is > released (were currently in feature freeze, so I needed something to hack > on). So if you want additional features like outputting packet 'signatures' > to syslog, and are willing to test the code then I'd be happy to add it in. > >> My question: What is the best way to make both the Ops and Security groups >> happy given the below limitations: >> - The Security group does not want to pull the logs from MySQL, as they want >> to use logstash/elasticsearch and this would just complicate things. > > Yeah and who wants to manage SQL tables with millions of rows, eww. > >> - The Ops group wants to avoid syslog because they fear syslog could block, >> causing their production FreeRADIUS servers to eventually stop responding to >> requests. > > > Ok. > >> The options we are exploring, in order of preference: >> 1. "Robust Accounting" - the Ops team believes there is a way to have the >> logs written to two locations simultaneously - locally and remotely, and if >> the remote connection is lost it does not impact operations. Is this >> possible? Does anyone have a sample config they could share? > > Um, that's a pretty basic feature of the server, just list multiple modules > in the accounting section. > >> 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. >> A script would then essentially 'tail -f' the log file and stream the logs >>
FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
All, I could use some help in understanding my options for the following scenario: In our environment, FreeRADIUS currently writes its Accounting logs to the local drive - one file per authorized client. In addition to the local logging, the Security group wants the Accounting logs sent to their logging cluster (in real-time) so they can put them in their elasticsearch database and respond to incidents. My question: What is the best way to make both the Ops and Security groups happy given the below limitations: - The Security group does not want to pull the logs from MySQL, as they want to use logstash/elasticsearch and this would just complicate things. - The Ops group wants to avoid syslog because they fear syslog could block, causing their production FreeRADIUS servers to eventually stop responding to requests. -- The options we are exploring, in order of preference: 1. "Robust Accounting" - the Ops team believes there is a way to have the logs written to two locations simultaneously - locally and remotely, and if the remote connection is lost it does not impact operations. Is this possible? Does anyone have a sample config they could share? 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A script would then essentially 'tail -f' the log file and stream the logs to the Security group (and would handle the hourly filename changes obviously). 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local file AND send remotely to the Security group. The Ops group wants to avoid syslog if at all possible. 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would then have to figure out a way to pull the data out in near-real time and insert it into their own database, which they would like to avoid. Any comments or suggestions are welcome. Thanks, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
The default install comes with a few accounting virtual servers that you can use. I'd strongly advise one of the or of band asynchronous ones. If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you might lose packets if you have congested links or a disruption between source and destination. For security throw a VPN tunnel between the hosts. At the end is whatever floats your boat and is maintainable. . you had a big list some of which seem prone to issues and overworked. And why not think of it the other way around? Let security have all the logs and then give ops access to the data via their system. ..ops then no longer need to worry about data retention, the legal issues, disk space etc. ..they just run a radius daemon ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
Alan, Thanks for responding. I'm from the Security group so I'm not intimately familiar with FreeRADIUS - can you please elaborate on how it would work off we set up a Virtual Accounting server? Sent from my iPhone > On Sep 5, 2013, at 5:53 PM, Alan Buxey wrote: > > The default install comes with a few accounting virtual servers that you can > use. I'd strongly advise one of the or of band asynchronous ones. > > If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you > might lose packets if you have congested links or a disruption between source > and destination. For security throw a VPN tunnel between the hosts. > > At the end is whatever floats your boat and is maintainable. . you had a big > list some of which seem prone to issues and overworked. And why not think of > it the other way around? Let security have all the logs and then give ops > access to the data via their system. ..ops then no longer need to worry about > data retention, the legal issues, disk space etc. ..they just run a radius > daemon ;) > > alan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
On 5 Sep 2013, at 18:29, Chris Decker wrote: > All, > > I could use some help in understanding my options for the following scenario: > In our environment, FreeRADIUS currently writes its Accounting logs to the > local drive - one file per authorized client. In addition to the local > logging, the Security group wants the Accounting logs sent to their logging > cluster (in real-time) so they can put them in their elasticsearch database > and respond to incidents. Well you don't want the main log file from the daemon which makes it easier. That can only go to one place. There are four types modules you could use for this: - linelog - detail - replicate - the db modules (ldap, sql, redis) Linelog can log to files or syslog, you construct the format lines using static text and attributes. Detail can only log to files, it just dumps the contents of an attribute list to a file. Replicate fires and forgets a copy of the Accounting-Request to a remote server. The DB modules just log to a table. You can list any combination of those modules in the accounting section of the server to write to multiple destinations. It's generally sensible to log one copy of the accounting packets to disk on the box it was received, most people use the detail module for this. For the other consumers, if they want off-box logging and don't want syslog, forward them a copy of the packet using rlm_replicate. This copies the incoming packet to another destination. It doesn't block, and doesn't wait for a response, meaning it will be affected by packet loss. But that shouldn't be an issue on a campus network if you set the QoS priorities correctly, and hey, at least no congestive failure. For consuming those packets at the other end, you can use another instance of FreeRADIUS (and configure it to not responsd), or radsniff can be used to pick them off the wire with libpcap, and output them in something very similar to detail format. I've adopted radsniff as a bit of a pet project until FreeRADIUS 3.0.0 is released (were currently in feature freeze, so I needed something to hack on). So if you want additional features like outputting packet 'signatures' to syslog, and are willing to test the code then I'd be happy to add it in. > My question: What is the best way to make both the Ops and Security groups > happy given the below limitations: > - The Security group does not want to pull the logs from MySQL, as they want > to use logstash/elasticsearch and this would just complicate things. Yeah and who wants to manage SQL tables with millions of rows, eww. > - The Ops group wants to avoid syslog because they fear syslog could block, > causing their production FreeRADIUS servers to eventually stop responding to > requests. Ok. > The options we are exploring, in order of preference: > 1. "Robust Accounting" - the Ops team believes there is a way to have the > logs written to two locations simultaneously - locally and remotely, and if > the remote connection is lost it does not impact operations. Is this > possible? Does anyone have a sample config they could share? Um, that's a pretty basic feature of the server, just list multiple modules in the accounting section. > 2. Re-configure FreeRADIUS to write to one giant log-file, rotated hourly. A > script would then essentially 'tail -f' the log file and stream the logs to > the Security group (and would handle the hourly filename changes obviously). Sure. Unlike core logging, modules will re-open the file handle each time they write an entry, this is nice because you can just move the files out of the way at rotate time, and not so nice, because it's slow. Depends on load as to whether this is ok. > 3. Re-configure FreeRADIUS to log to syslog, and have syslog write to a local > file AND send remotely to the Security group. The Ops group wants to avoid > syslog if at all possible. Ok. > 4. Re-configure FreeRADIUS to also log to MySQL. The Security group would > then have to figure out a way to pull the data out in near-real time and > insert it into their own database, which they would like to avoid. > Nah... Replicate the packet stream, let them do whatever they want with it. That's usually the easiest way to solve these sorts of issues. -Arran Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 1 Aug 2013, at 11:21, Phil Mayers wrote: > On 01/08/13 10:02, Gab Quidilla wrote: >> Hi, >> >> I ran radsniff. I had someone at our branch login to the switches, and >> still no accounting packets, while when I log into our switches, the >> accounting packet is received. This is somewhat network-related yes? > > Entirely. If the accounting packets don't arrive, then they're either not > getting sent, or getting dropped. ^ (by the network) Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 01/08/13 10:02, Gab Quidilla wrote: Hi, I ran radsniff. I had someone at our branch login to the switches, and still no accounting packets, while when I log into our switches, the accounting packet is received. This is somewhat network-related yes? Entirely. If the accounting packets don't arrive, then they're either not getting sent, or getting dropped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
Hi, I ran radsniff. I had someone at our branch login to the switches, and still no accounting packets, while when I log into our switches, the accounting packet is received. This is somewhat network-related yes? If it helps, here's the pic of the radsniff's output: http://i41.tinypic.com/2zp5g78.jpg On Thu, Aug 1, 2013 at 4:44 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > Run radsniff. Make sure you see packets. > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 08/01/2013 09:35 AM, Gab Quidilla wrote: office, it would not pass through the firewall. Accessing the branches passess through the firewall, but the fw WAN link is configured for accepting all packets Yeah... sorry, but we hear that a lot on this mailing list, and quite often the firewall was not, in fact, configured to "permit all" Authentication and authorization works fine, but accounting packets are not received. Is there any setting in the config files that I should check/modify? Like I said, use tcpdump to *confirm* the accounting packets are actually arriving at the server before focussing on the server. As for settings to check - you said the shared secrets are different, so check and double-check those, and that the correct "client" statements are matching. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 1 Aug 2013, at 09:35, Gab Quidilla wrote: > Hi, thanks for the reply. > > I'm pretty sure that every NAS is sending accounting packets, because I am > using the same config on the switches here and for other branches, the only > difference is the shared secret used. > > On the first post is Pastebin links, with the accounting packet received > after authentication. When accessing the switches here at the head office, it > would not pass through the firewall. Accessing the branches passess through > the firewall, but the fw WAN link is configured for accepting all packets > > Authentication and authorization works fine, but accounting packets are not > received. Is there any setting in the config files that I should check/modify? Run radsniff. Make sure you see packets. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
Hi, thanks for the reply. I'm pretty sure that every NAS is sending accounting packets, because I am using the same config on the switches here and for other branches, the only difference is the shared secret used. On the first post is Pastebin links, with the accounting packet received after authentication. When accessing the switches here at the head office, it would not pass through the firewall. Accessing the branches passess through the firewall, but the fw WAN link is configured for accepting all packets Authentication and authorization works fine, but accounting packets are not received. Is there any setting in the config files that I should check/modify? On Thu, Aug 1, 2013 at 4:04 PM, Phil Mayers wrote: > > Are you sure the NAS is sending accouting packets? > > If the accounting packets don't reach FreeRADIUS, then FreeRADIUS can't do > anything with them. Check the NAS is actually sending accounting packets. > If it is, tcpdump on the server to see if it arrives. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting packets not received
On 08/01/2013 08:51 AM, Gab Quidilla wrote: Good day, We have several branches configured for RADIUS. We are using freeradius 2.1.12 from CentOS 6.4 repo, plus daloradius 0.9.9, and MySQL. The problem is that accounting packets are not received here in our head office when accessing other branches' switches. When we access our own switches, everything is logged into the db. Branches connection is Head office > firewall > point-to-point to retail > retail > isp > branch Firewall connection to branches is allow-all, so this is the confusing part Are you sure the NAS is sending accouting packets? Requests are logged in freeradius log file, but it is incomplete and what we would like to accomplish is accounting packets to be recorded If the accounting packets don't reach FreeRADIUS, then FreeRADIUS can't do anything with them. Check the NAS is actually sending accounting packets. If it is, tcpdump on the server to see if it arrives. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting packets not received
Good day, We have several branches configured for RADIUS. We are using freeradius 2.1.12 from CentOS 6.4 repo, plus daloradius 0.9.9, and MySQL. The problem is that accounting packets are not received here in our head office when accessing other branches' switches. When we access our own switches, everything is logged into the db. Branches connection is Head office > firewall > point-to-point to retail > retail > isp > branch Firewall connection to branches is allow-all, so this is the confusing part Requests are logged in freeradius log file, but it is incomplete and what we would like to accomplish is accounting packets to be recorded With accounting packet: http://pastebin.com/M5XPYjQG Without accounting packet: http://pastebin.com/XVCTxug6 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: visualize login, logout and commands
For switches, ensure that your are sending accounting and ensure on the radius server that you are recording sick packets. ... but what switches are you running as eg Cisco switches use Tacacs+ for sending details of all commands run. .. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: visualize login, logout and commands
Roberto Carna wrote: > Dear, and what can I do to accont jus login, logout and sesson times fr > swithes and Linux boxes ??? As I said, see the switch documentation. FreeRADIUS *receives* accounting packets. It doesn't *create* them. if you want to receive data in an accounting packet, look at the system which is creating them. Your question is like asking your ISP why you aren't receiving email from your friend John. Well... go ask John why he isn't sending any email. It's not your ISP's problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: visualize login, logout and commands
Dear, and what can I do to accont jus login, logout and sesson times fr swithes and Linux boxes ??? Because by default I can see any accounting event. Thanks again. Roberto 2013/6/3 Alan DeKok > Roberto Carna wrote: > > Dear, I've implemented a Freeradius server for SSH Linux and Telnet > > Switch authentication. > > > > How can I do in order to get accounting of logins, logouts and -if > > possible- the commands executed by the users authenticated ??? > > See the switch documentation. If it can log commands via RADIUS, then > FreeRADIUS will log them. Otherwise, it's impossible. > > I'm not aware of any Linux system which allows for command logging via > RADIUS. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: visualize login, logout and commands
Roberto Carna wrote: > Dear, I've implemented a Freeradius server for SSH Linux and Telnet > Switch authentication. > > How can I do in order to get accounting of logins, logouts and -if > possible- the commands executed by the users authenticated ??? See the switch documentation. If it can log commands via RADIUS, then FreeRADIUS will log them. Otherwise, it's impossible. I'm not aware of any Linux system which allows for command logging via RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting: visualize login, logout and commands
Dear, I've implemented a Freeradius server for SSH Linux and Telnet Switch authentication. How can I do in order to get accounting of logins, logouts and -if possible- the commands executed by the users authenticated ??? I'm using Daloradius to have a friendly graphical mode. Thanks a lot, Roberto A.K.A El loco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
Arvind Bahuguni wrote: > I am not interested in any argument, i wanted to check what may be the > problem with my radius server as accounting is successful with free > radius on other server. You were given an answer. You could have believed it, or asked a clarifying question. Instead, you argued with the answer. And then insisted you weren't arguing. You can continue to post *more* questions, just not the same ones. If you post one more message arguing about it, you will be unsubscribed and banned. If you post one more reply containing hundreds of lines of useless text, you will be unsubscribed and banned. It's really not hard. Follow instructions, and you *will* fix the problem. That's what this list is for. This list is *not* for people who refuse to follow instructions. They will be unsubscribed and banned. This is your last warning. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
Hi, >I am not interested in any argument, i wanted to check what may be the >problem with my radius server as accounting is successful with free radius >on other server. ..and as per response to emails you are sending me directly, this is nothing to do with the RADIUS server config. if a RADIUS server doesnt get accounting packets from a NAS then is an issue of the NAS - why do you believe that the NAS would send accounting packets to BOTH NASs ? a NAS will usually use just one RADIUS server and only use the next one if it gets no response (eg for auth) from the RADIUS server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
I am not interested in any argument, i wanted to check what may be the problem with my radius server as accounting is successful with free radius on other server. On May 26, 2013 6:51 AM, wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Re: Issue with radius accounting (Alan DeKok) >2. user from particular NAS-IP-Address (Pete Ashdown) >3. Re: user from particular NAS-IP-Address (Alan DeKok) >4. Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or does notexist (Bill Grant) >5. Re: Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or doesnot exist (Alan DeKok) >6. RE: Error: rlm_sql_unixodbc: SQL down 08S01 > [unixODBC][FreeTDS][SQL Server]Unable to connect: Adaptive Server > is unavailable or doesnot exist (Bill Grant) >7. Re: Auth-Type = Reject not being obeyed (Matthew Melbourne) > > > -- > > Message: 1 > Date: Sat, 25 May 2013 13:30:57 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Cc: "freeradius-users@lists.freeradius.org" > > Subject: Re: Issue with radius accounting > Message-ID: > Content-Type: text/plain; charset="us-ascii" > > On 2013-05-25, at 12:39 PM, Arvind Bahuguni wrote: > > > Hi Alan, > > I am suspecting some radius setting on my server because free radius on > other server is responding and authentication and accounting is successful > > > For one, you need to edit your posts. It's ridiculous to reply to a > digest message, and include hundreds of lines of irrelevant text. > > And if you know so much more than me about RADIUS, you shouldn't be > asking questions on this list. > > If you're going to ask questions and then argue with the answers, you > will be unsubscribed from the list and banned permanently. > > Alan DeKok. > -- next part -- > An HTML attachment was scrubbed... > URL: < > http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130525/dc49bb28/attachment-0001.html > > > > -- > > Message: 2 > Date: Sat, 25 May 2013 14:31:12 -0600 > From: Pete Ashdown > To: freeradius-users@lists.freeradius.org > Subject: user from particular NAS-IP-Address > Message-ID: <20130525203112.ga20...@xmission.com> > Content-Type: text/plain; charset=us-ascii > > I'm trying to restrict a guest user from a single NAS-IP-Address via > "users" > and I can't get it to work. > > Doesn't work: > > testNAS-IP-Address == "127.0.0.1" > Auth-Type := Accept > > testNAS-IP-Address == "127.0.1.1" > Auth-Type := Accept > > Works, but it isn't restricted by NAS: > > test Auth-Type := Accept > > I've also tried "Calling-Station-ID == 127.0.1.1" to no avail. > > > Also, how would I do this for a group of NAS IP addresses? Is it possible > to > assign them to a group in "clients.conf" that can be later checked against > in > "users"? Where is the documentation of what can be tested against in the > "users" file? > > > -- > > Message: 3 > Date: Sat, 25 May 2013 18:23:44 -0400 > From: Alan DeKok > To: FreeRadius users mailing list > > Subject: Re: user from particular NAS-IP-Address > Message-ID: <51a139f0.9070...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Pete Ashdown wrote: > > I'm trying to restrict a guest user from a single NAS-IP-Address via > "users" > > and I can't get it to work. > > > > Doesn't work: > > > > test NAS-IP-Address == "127.0.0.1" > > Auth-Type := Accept > > That's wrong. Why? See the debug output.
Re: Issue with radius accounting
On 2013-05-25, at 12:39 PM, Arvind Bahuguni wrote: > Hi Alan, > I am suspecting some radius setting on my server because free radius on other > server is responding and authentication and accounting is successful > For one, you need to edit your posts. It's ridiculous to reply to a digest message, and include hundreds of lines of irrelevant text. And if you know so much more than me about RADIUS, you shouldn't be asking questions on this list. If you're going to ask questions and then argue with the answers, you will be unsubscribed from the list and banned permanently. Alan DeKok.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with radius accounting
Hi Alan, I am suspecting some radius setting on my server because free radius on other server is responding and authentication and accounting is successful. On May 24, 2013 7:56 PM, wrote: > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. AES-GCM (Pieter Hulshoff) >2. Re: AES-GCM (Phil Mayers) >3. Re: AES-GCM (Pieter Hulshoff) >4. Re: AES-GCM (Phil Mayers) >5. Re: AES-GCM (Pieter Hulshoff) >6. Re: issue with radius accounting (Alan DeKok) >7. Re: Failure authenticate using IPv6 (Alan DeKok) >8. Re: Retrieving eDirectory VLAN attributes (Alan DeKok) > > > -- > > Message: 1 > Date: Fri, 24 May 2013 12:44:02 +0200 > From: Pieter Hulshoff > To: freeradius-users@lists.freeradius.org > Subject: AES-GCM > Message-ID: <2687107.xyZuJZ1fbJ@spaceballsml> > Content-Type: text/plain; charset="us-ascii" > > Hello all, > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the > documentation, the wiki or the mailinglist archives, but perhaps I'm > looking > in the wrong place? > > Kind regards, > > Pieter Hulshoff > > > > -- > > Message: 2 > Date: Fri, 24 May 2013 12:21:47 +0100 > From: Phil Mayers > To: freeradius-users@lists.freeradius.org > Subject: Re: AES-GCM > Message-ID: <519f4d4b.4080...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 24/05/13 11:44, Pieter Hulshoff wrote: > > Hello all, > > > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in > the > > documentation, the wiki or the mailinglist archives, but perhaps I'm > looking > > in the wrong place? > > Typically this is down the TLS libraries; it's not usually the case that > the application needs to do anything. > > That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS > 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve > itself in this level of detail - that's an aspect of the TLS library > (OpenSSL) we use, and whatever the EAP-TLS client is using. > > Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP > or TTLS) never actually sends any data over the TLS session; > essentially, it consists solely of the handshake. In TLS terms, EAP-TLS > never sends any TLS records of type=23 (application data). So, the > negotiated cipher is not used for very much. > > PEAP and TTLS have "inner" EAP exchanges, that are protected with the > TLS session, and sent as TLS type=23 records. > > Slightly OT, there seems to be some degree of uncertainty about GCM in > general, and whether it's a sensible cipher mode - for example, see > http://www.imperialviolet.org/2013/01/13/rwc03.html > > > -- > > Message: 3 > Date: Fri, 24 May 2013 13:47:36 +0200 > From: Pieter Hulshoff > To: FreeRadius users mailing list > > Subject: Re: AES-GCM > Message-ID: <2024766.p6x3QSbeB1@spaceballsml> > Content-Type: text/plain; charset="us-ascii" > > On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote: > > On 24/05/13 11:44, Pieter Hulshoff wrote: > > > Hello all, > > > > > > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in > > > the > > > documentation, the wiki or the mailinglist archives, but perhaps I'm > > > looking in the wrong place? > > > > Typically this is down the TLS libraries; it's not usually the case that > > the application needs to do anything. > > It seems I have a lot to learn yet about what is and is not a part of > FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the > mailinglist. > > > That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS > > 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve > > itself in this level of detail - that's an aspect of the TLS library > >
Re: issue with radius accounting
Arvind Bahuguni wrote: > Hi, > Need help in resolving radius issues. My radius server is not > processing accounting packets, radius server is sending access-accept > but not proceeding further with accounting, it will send access-accept > and start waiting for another request. This is in the FAQ. Read it. > Looks like some radius server setting issues, please help me . So... the RADIUS server doesn't receive packets, and you blame it? How about blaming the system which *sends* the accounting packets? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
issue with radius accounting
Hi, Need help in resolving radius issues. My radius server is not processing accounting packets, radius server is sending access-accept but not proceeding further with accounting, it will send access-accept and start waiting for another request. Looks like some radius server setting issues, please help me . Thanks, Arvind - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA Accounting Relay
On Wed, May 8, 2013 at 3:23 PM, wrote: > Hi, > >>What we would like to do is to send both Auth and Accounting requests to a >>AAA server and then forward just the accounting records to another AAA >>server that is back-ended to MySQL. > > yes, just proxy the accounting - either using some unlang and proxy.conf > or by using eg robust accounting virtual server ... or rlm_replicate. https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/raddb/modules/replicate -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AAA Accounting Relay
Hi, >What we would like to do is to send both Auth and Accounting requests to a >AAA server and then forward just the accounting records to another AAA >server that is back-ended to MySQL. yes, just proxy the accounting - either using some unlang and proxy.conf or by using eg robust accounting virtual server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AAA Accounting Relay
Newbie question for the group. Has anyone successfully set up a Radius Relay for Accounting as this older article for LDAP lists? http://freeradius.org/radiusd/doc/ldap_howto.txt What we would like to do is to send both Auth and Accounting requests to a AAA server and then forward just the accounting records to another AAA server that is back-ended to MySQL. Thanks.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not processing accounting packet
Tyller D wrote: > The process I'm using is as follows. User connects to landing page, > landing page sends access-request to server with users details. > FreeRADIUS then sends a COA to the NAS to change the state and apply > attributes. However when FreeRADIUS gets the accounting-start packet, it > does nothing with it. Can someone please tell me how I can log this > normally in radacct table? In my accounting section i have accounting { > sql } So... you butchered the configuration files, and now are wondering why it doesn't work. > rad_recv: Accounting-Request packet from host 172.16.255.35 port 2, > id=200, length=244 > Acct-Status-Type = Start > Acct-Multi-Session-Id = "SESS-464-72c952-395089-4201e" > Acct-Session-Id = "SESS-464-72c952-395089-4201e" > User-Name = "10269783" > Event-Timestamp = "May 1 2013 09:58:34 SAST" > Trapeze-VLAN-Name = "DataA" > Calling-Station-Id = "04-54-53-85-CA-82" > NAS-Port-Id = "AP13/2" > Called-Station-Id = "AC-4B-C8-02-23-41:BTC HOTSPOT - FAIRGROUND" > Trapeze-Attr-19 = 0x69706164 > Trapeze-Attr-21 = 0x696f73 > NAS-Port = 464 > Framed-IP-Address = 172.16.100.18 > NAS-Port-Type = Wireless-802.11 > NAS-IP-Address = 172.16.255.35 > NAS-Identifier = "XON" > Acct-Delay-Time = 0 > WARNING: Empty preacct section. Using default return values. > WARNING: Empty accounting section. Using default return values. Maybe that's a hint. The entire point of the debug output is to READ IT. It's not rocket science. There's a bunch of stuff, followed by WARNING ARE YOU SURE THIS IS RIGHT Which may be a message you want to read and think about. My suggestion is this: 1) don't butcher the default configurations. It's clear you don't know what they do, but you destroyed them anyways 2) do use the default examples, with only minor edits. Use the method suggested in "man radiusd". It's really very simple 3) read the debug output. Look for WARNING or ERROR. It's that easy Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Not processing accounting packet
Ok, so the problem lies somewhere in the originate-coa file. If I remove that file from the sites-enable accounting-messages are handled fine. But if I don't have that defined I get this error when trying to send CoA Wed May 1 12:39:03 2013 : Info: WARNING: Unknown destination 172.16.255.35:3799 for CoA request. Can anyone tell me how I can both send a CoA to a NAS and process the accounting-start/accounting-stop packet? On Wed, May 1, 2013 at 10:10 AM, Tyller D wrote: > Hi All, > > I'm having a problem that I can't find a solution to. > > The process I'm using is as follows. User connects to landing page, > landing page sends access-request to server with users details. FreeRADIUS > then sends a COA to the NAS to change the state and apply attributes. > However when FreeRADIUS gets the accounting-start packet, it does nothing > with it. Can someone please tell me how I can log this normally in radacct > table? In my accounting section i have accounting { sql } > > sql_xlat finished > rlm_sql (sql): Released sql socket id: 4 > expand: %{sql:SELECT IFNULL((SELECT IF(ims.vouchers.`data`= 0, > 0,IF((ims.vouchers.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) > < 0,-1, ims.vouchers.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets > AS voucherdata FROM radius.radacct,ims.vouchers WHERE > radius.radacct.username='%{request:User-Name}' AND radius.radacct.username > = ims.vouchers.voucher AND radius.radacct.acctterminatecause<>'Hotspot > Restart'),(SELECT ims.vouchers.`data` FROM ims.vouchers WHERE > ims.vouchers.voucher='%{request:User-Name}')) as voucherdata} -> 1048576 > ++[control] returns noop > sql_xlat > expand: %{User-Name} -> 10269783 > sql_set_user escaped user --> '10269783' > expand: SELECT IFNULL((SELECT IF(ims.user_account.`data`= 0, > 0,IF((ims.user_account.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) > < 0,-1, ims.user_account.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets > AS voucherdata FROM radius.radacct,ims.user_account WHERE > radius.radacct.username='%{request:User-Name}' AND radius.radacct.username > = ims.user_account.username AND radius.radacct.acctterminatecause<>'Hotspot > Restart'),(SELECT ims.user_account.`data` FROM ims.user_account WHERE > ims.user_account.username='%{request:User-Name}')) as voucherdata -> SELECT > IFNULL((SELECT IF(ims.user_account.`data`= 0, 0,IF((ims.user_account.`data` > - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) > < 0,-1, ims.user_account.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets > AS voucherdata FROM radius.radacct,ims.user_account WHERE > radius.radacct.username='10269783' AND radius.radacct.username = > rlm_sql (sql): Reserving sql socket id: 3 > row[0] returned NULL > rlm_sql (sql): Released sql socket id: 3 > expand: %{sql:SELECT IFNULL((SELECT IF(ims.user_account.`data`= 0, > 0,IF((ims.user_account.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) > < 0,-1, ims.user_account.`data` - > (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets > AS voucherdata FROM radius.radacct,ims.user_account WHERE > radius.radacct.username='%{request:User-Name}' AND radius.radacct.username > = ims.user_account.username AND radius.radacct.acctterminatecause<>'Hotspot > Restart'),(SELECT ims.user_account.`data` FROM ims.user_account WHERE > ims.user_account.username='%{request:User-Name}')) as voucherdata} -> > ++[control] returns noop > ++? if (control:IMS-ActiveDirectory == 0) > ? Evaluating (control:IMS-ActiveDirectory == 0) -> FALSE > ++? if (control:IMS-ActiveDirectory == 0) -> FALSE > ++? if (control:IMS-Timeout < 0) > ? Evaluating (control:IMS-Timeout < 0) -> FALSE > ++? if (control:IMS-Timeout < 0) -> FALSE > ++? elsif (control:IMS-Timeout > 0) > ? Evaluating (control:IMS-Timeout > 0) -> FALSE > ++? elsif (control:IMS-Timeout > 0) -> FALSE > ++? if (control:IMS-Data < 0) > ? Evaluating (control:IMS-Data < 0) -> FALSE > ++? if (control:IMS-Data < 0) -> FALSE > ++? if (control:IMS-Data > 0) > ? Evaluating (control:IMS-Data > 0) -> TRUE > ++? if (control:IMS-Data > 0) -> TRUE > ++- entering if (control:IMS-Data > 0) {...} > expand: %{control:IMS-Data} -> 1048576 > +++[reply] returns noop > ++- if (control:IMS-Data > 0) returns noop > ++? if (c
Not processing accounting packet
Hi All, I'm having a problem that I can't find a solution to. The process I'm using is as follows. User connects to landing page, landing page sends access-request to server with users details. FreeRADIUS then sends a COA to the NAS to change the state and apply attributes. However when FreeRADIUS gets the accounting-start packet, it does nothing with it. Can someone please tell me how I can log this normally in radacct table? In my accounting section i have accounting { sql } sql_xlat finished rlm_sql (sql): Released sql socket id: 4 expand: %{sql:SELECT IFNULL((SELECT IF(ims.vouchers.`data`= 0, 0,IF((ims.vouchers.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) < 0,-1, ims.vouchers.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets AS voucherdata FROM radius.radacct,ims.vouchers WHERE radius.radacct.username='%{request:User-Name}' AND radius.radacct.username = ims.vouchers.voucher AND radius.radacct.acctterminatecause<>'Hotspot Restart'),(SELECT ims.vouchers.`data` FROM ims.vouchers WHERE ims.vouchers.voucher='%{request:User-Name}')) as voucherdata} -> 1048576 ++[control] returns noop sql_xlat expand: %{User-Name} -> 10269783 sql_set_user escaped user --> '10269783' expand: SELECT IFNULL((SELECT IF(ims.user_account.`data`= 0, 0,IF((ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) < 0,-1, ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets AS voucherdata FROM radius.radacct,ims.user_account WHERE radius.radacct.username='%{request:User-Name}' AND radius.radacct.username = ims.user_account.username AND radius.radacct.acctterminatecause<>'Hotspot Restart'),(SELECT ims.user_account.`data` FROM ims.user_account WHERE ims.user_account.username='%{request:User-Name}')) as voucherdata -> SELECT IFNULL((SELECT IF(ims.user_account.`data`= 0, 0,IF((ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) < 0,-1, ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets AS voucherdata FROM radius.radacct,ims.user_account WHERE radius.radacct.username='10269783' AND radius.radacct.username = rlm_sql (sql): Reserving sql socket id: 3 row[0] returned NULL rlm_sql (sql): Released sql socket id: 3 expand: %{sql:SELECT IFNULL((SELECT IF(ims.user_account.`data`= 0, 0,IF((ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets))) < 0,-1, ims.user_account.`data` - (SUM(radius.radacct.acctinputoctets)+SUM(radius.radacct.acctoutputoctets AS voucherdata FROM radius.radacct,ims.user_account WHERE radius.radacct.username='%{request:User-Name}' AND radius.radacct.username = ims.user_account.username AND radius.radacct.acctterminatecause<>'Hotspot Restart'),(SELECT ims.user_account.`data` FROM ims.user_account WHERE ims.user_account.username='%{request:User-Name}')) as voucherdata} -> ++[control] returns noop ++? if (control:IMS-ActiveDirectory == 0) ? Evaluating (control:IMS-ActiveDirectory == 0) -> FALSE ++? if (control:IMS-ActiveDirectory == 0) -> FALSE ++? if (control:IMS-Timeout < 0) ? Evaluating (control:IMS-Timeout < 0) -> FALSE ++? if (control:IMS-Timeout < 0) -> FALSE ++? elsif (control:IMS-Timeout > 0) ? Evaluating (control:IMS-Timeout > 0) -> FALSE ++? elsif (control:IMS-Timeout > 0) -> FALSE ++? if (control:IMS-Data < 0) ? Evaluating (control:IMS-Data < 0) -> FALSE ++? if (control:IMS-Data < 0) -> FALSE ++? if (control:IMS-Data > 0) ? Evaluating (control:IMS-Data > 0) -> TRUE ++? if (control:IMS-Data > 0) -> TRUE ++- entering if (control:IMS-Data > 0) {...} expand: %{control:IMS-Data} -> 1048576 +++[reply] returns noop ++- if (control:IMS-Data > 0) returns noop ++? if (control:IMS-UserData < 0) ? Evaluating (control:IMS-UserData < 0) -> FALSE ++? if (control:IMS-UserData < 0) -> FALSE ++? if (control:IMS-UserData > 0) ? Evaluating (control:IMS-UserData > 0) -> FALSE ++? if (control:IMS-UserData > 0) -> FALSE ++[reply] returns noop } # server ims Sending Access-Accept of id 79 to 127.0.0.1 port 51340 Trapeze-Qos-Profile = "MB100" Mikrotik-Total-Limit = 1048576 Acct-Interim-Interval = 120 # Executing section pre-proxy from file /etc/freeradius/sites-enabled/ims +- entering group pre-proxy {...} [detail]expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20130501 [detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0
Re: Cellular Roaming Accounting
Gerry Gasca wrote: > I have recently inherited working on a freeRadius on openSUSE server on > a cellular implementation. I'll be upfront that my Linux skills are > minimal and I know nothing about freeRadius. Posting here is a good start. > I don't know what version of freeRadius we are running I was afraid to > run radiusd -v because the man page said it would run and exit. This is > a production server and I didn't want to risk killing the process. I'll > schedule a maintenance window to run that. Don't bother. It's safe. When you run "radiusd -v", the *current* program prints the version and exits. It doesn't poke the running daemon. > My issue is I need to implement total data transferred daily logging for > a particular realm to implement roaming. My first thought was to get it > from the detail files. I can probably write a script to accomplish this > but I can't find the RAT-Type attribute in the log entries. I need to > break out 1xRTT and EVDO totals for this realm. The Radio Access > Technology type would be perfect for this but as I said can't find it in > the detail file. If it's not there, then the NAS isn't sending it. > I know a little about mysql but not much. It is implemented on this > server. Can I pull this data from the radacct table? I thought I might > need to implement the rls_counter module. It is not currently implemented. You could pull the data from the SQL table. I'd recommend that. The detail file is really just a backup for SQL data. (For various reasons) You should be able to query the SQL table, and key off of the User-Name, where the realm is the one you want. Then, add up the various columns. So this is really an SQL issue. Look at the tables shipped with FreeRADIUS to determine the structure. Then write SQL queries. > Sorry I have short windows of time to try things on this server so I'm > trying to line up as much as I can ahead of time before getting stuck > and wasting a maintenance window. You should be able to query your SQL table live. Just run "SELECT"s, and nothing else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cellular Roaming Accounting
I have recently inherited working on a freeRadius on openSUSE server on a cellular implementation. I'll be upfront that my Linux skills are minimal and I know nothing about freeRadius. I don't know what version of freeRadius we are running I was afraid to run radiusd -v because the man page said it would run and exit. This is a production server and I didn't want to risk killing the process. I'll schedule a maintenance window to run that. My issue is I need to implement total data transferred daily logging for a particular realm to implement roaming. My first thought was to get it from the detail files. I can probably write a script to accomplish this but I can't find the RAT-Type attribute in the log entries. I need to break out 1xRTT and EVDO totals for this realm. The Radio Access Technology type would be perfect for this but as I said can't find it in the detail file. I know a little about mysql but not much. It is implemented on this server. Can I pull this data from the radacct table? I thought I might need to implement the rls_counter module. It is not currently implemented. Sorry I have short windows of time to try things on this server so I'm trying to line up as much as I can ahead of time before getting stuck and wasting a maintenance window. Here is a sample start record in the detail file: User-Name = "5558675...@companyx.com" NAS-IP-Address = ###.###.###.### Acct-Status-Type = Start Acct-Session-Id = "ecs+xv67" Acct-Delay-Time = 0 Acct-Authentic = RADIUS NAS-Port = 2265 NAS-Port-Type = Virtual Calling-Station-Id = "15558675309" Framed-Protocol = PPP Framed-IP-Address = ###.###.###.### Event-Timestamp = "Apr 7 2013 00:00:02 EDT" Acct-Input-Octets = 0 Acct-Output-Octets = 0 3GPP2-Correlation-Id = "ecs+yshC" 3GPP2-User-Id = 0 3GPP2-Forward-FCH-Mux-Option = 2337 3GPP2-Reverse-FCH-Mux-Option = 2337 3GPP2-Service-Option = 33 3GPP2-Forward-Traffic-Type = 0 3GPP2-Reverse-Traffic-Type = 0 3GPP2-FCH-Frame-Size = 2 3GPP2-Forward-FCH-RC = 3 3GPP2-Reverse-FCH-RC = 3 3GPP2-IP-Technology = 1 3GPP2-Compulsory-Tunnel-Indicator = 0 3GPP2-PCF-IP-Address = ###.###.###.### 3GPP2-BSID = "14EE0001" 3GPP2-Home-Agent-IP-Address = 0.0.0.0 3GPP2-Bad-PPP-Frame-Count = 0 3GPP2-Number-Active-Transitions = 0 3GPP2-Terminating-SDB-Octet-Count = 0 3GPP2-Originating-SDB-OCtet-Count = 0 3GPP2-Terminating-Number-SDBs = 0 3GPP2-Originating-Number-SDBs = 0 3GPP2-IP-QoS = 0 3GPP2-Session-Continue = 1 3GPP2-Inbound-Mobile-IP-Sig-Octets = 0 3GPP2-Outbound-Mobile-IP-Sig-Octets = 0 3GPP2-Airlink-Priority = 13 3GPP2-Received-HDLC-Octets = 0 3GPP2-Attr-41 = 0x486a95e1 3GPP2-Module-Orig-Term-Indicator = 0x 3GPP2-Forward-DCCH-Mux-Option = 0 3GPP2-Reverse-DCCH-Mux-Option = 0 3GPP2-Forward-DCCH-RC = 0 3GPP2-Reverse-DHHC-RC = 0 3GPP2-Service-Reference-Id = 0x0104000102040001 3GPP2-DCCH-Frame-Size = 0 3GPP2-Begin-Session = 1 3GPP2-Active-Time = 0 Service-Type = Framed-User Acct-Unique-Session-Id = "efb3ccab5e594101" Stripped-User-Name = "5558675309" Realm = "companyx.com" Timestamp = 1365307202 Request-Authenticator = Verified - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get Stop in accounting do some action
Dear Arran i see in log file that first executing preacct section and then UPDATE radacct by AcctStopTime .. if i need to change that record i need to Executing my perl script or uunlang script after database updated with AcctStopTime so do i need chnage the location of this : preacct { if (Acct-Status-Type == 'Stop') { } } LOG file : [] # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default rlm_sql (sql): Reserving sql socket id: 0 rlm_sql_postgresql: query: START TRANSACTION rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 0 rlm_sql_postgresql: query: UPDATE radippool SET nasipaddress = '', pool_key = 0, callingstationid = '', expiry_time = 'now'::timestamp(0) - '1 second'::interval WHERE nasipaddress = '78.39.54.132' AND pool_key = '32' AND username = 'test1' AND callingstationid = '188.245.240.75' AND framedipaddress = '192.168.90.100' rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql_postgresql: query: COMMIT rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 0 Released IP 192.168.90.100 (did 78.39.54.132 cli 188.245.240.75 user test1) rlm_sql (sql): Released sql socket id: 0 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: UPDATE radacct SET AcctStopTime = ('2013-03-07 07:31:04'::timestamp - '0'::interval), AcctSessionTime = CASE WHEN '176' = '' THEN (EXTRACT(EPOCH FROM ('2013-03-07 07:31:04'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE - '0'::INTERVAL)))::BIGINT ELSE NULLIF('176','')::BIGINT END, AcctInputOctets = (('0'::bigint << 32) + '28689'::bigint), AcctOutputOctets = (('0'::bigint << 32) + '80'::bigint), AcctTerminateCause = 'NAS-Request', AcctStopDelay = 0, FramedIPAddress = NULLIF('192.168.90.100', '')::inet, ConnectInfo_stop = '' WHERE AcctSessionId = '8116' AND UserName = 'test1' AND NASIPAddress = '78.39.54.132' AND AcctStopTime IS NULL rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 rlm_sql (sql): Released sql socket id: 4 Ready to process requests. On Sun, Mar 3, 2013 at 8:30 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > On 3 Mar 2013, at 11:32, Mehdi Ravanbakhsh wrote: > > > Hello everyone > > > > I need to update some check and replay attribute in database when get > stop in accounting and the session is finish > > > > i need to know in which section of virtual server file ( > sites-enabled/default) i need to put unlang script (and/or perl script) ? > > > > and > > > > how i can check in script if accounting get stop packet , . > > preacct { > if (Acct-Status-Type == 'Stop') { > calculate and do some query in database in radcheck and radreplay> > } > } > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replicate accounting packets to multiple servers
Shreya Shah wrote: > How can I replicate accounting packets to multiple servers when I have > only one realm ? Read raddb/modules/replicate > I have setup replicate and replicate-to realm in > accounting section and also home_server and pool in proxy.conf but > replication only works for the first home server. It wouldn't replicate > accounting to the other server. This is how my proxy.conf config for > replication looks. ... > DEFAULT { > > Replicate-To-Realm := remote > > } That is completely wrong. Delete it. > I just see the replication accounting packets being sent only to > remote_server and not to col_server. Read raddb/modules/replicate. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Replicate accounting packets to multiple servers
Hi, How can I replicate accounting packets to multiple servers when I have only one realm ? I have setup replicate and replicate-to realm in accounting section and also home_server and pool in proxy.conf but replication only works for the first home server. It wouldn't replicate accounting to the other server. This is how my proxy.conf config for replication looks. home_server remote_server { ipaddr = x.x.x.x port = 1813 type = acct secret = testing123 } home_server col_server { ipaddr = x.x.x.x port = 1813 type = acct secret = testing } home_server_pool remote_pool { type = fail-over home_server = remote_server } home_server_pool col_pool { type = fail-over home_server = col_server } DEFAULT { Replicate-To-Realm := remote } realm remote { acct_pool = remote_pool acct_pool = col_pool } I just see the replication accounting packets being sent only to remote_server and not to col_server. Thanks, Shreya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get Stop in accounting do some action
Dear Arran many thanks for your help *i have another question : who can i access to Acctuniqueid of the record in this unlang script and in Perl script ?* * * * * * * * * On Sun, Mar 3, 2013 at 8:30 PM, Arran Cudbard-Bell < a.cudba...@freeradius.org> wrote: > > On 3 Mar 2013, at 11:32, Mehdi Ravanbakhsh wrote: > > > Hello everyone > > > > I need to update some check and replay attribute in database when get > stop in accounting and the session is finish > > > > i need to know in which section of virtual server file ( > sites-enabled/default) i need to put unlang script (and/or perl script) ? > > > > and > > > > how i can check in script if accounting get stop packet , . > > preacct { > if (Acct-Status-Type == 'Stop') { > calculate and do some query in database in radcheck and radreplay> > } > } > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get Stop in accounting do some action
On 3 Mar 2013, at 11:32, Mehdi Ravanbakhsh wrote: > Hello everyone > > I need to update some check and replay attribute in database when get stop > in accounting and the session is finish > > i need to know in which section of virtual server file ( > sites-enabled/default) i need to put unlang script (and/or perl script) ? > > and > > how i can check in script if accounting get stop packet , . preacct { if (Acct-Status-Type == 'Stop') { } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Get Stop in accounting do some action
Hello everyone I need to update some check and replay attribute in database when get stop in accounting and the session is finish i need to know in which section of virtual server file ( sites-enabled/default) i need to put unlang script (and/or perl script) ? and how i can check in script if accounting get stop packet , read some radacct fild of that session to do some calculate and do some query in database in radcheck and radreplay . Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
Hi, >In ma accounting table there are many records with the same radacctid for >one username. as Phil says - and can be seen, different called-station-id - and different (NAS id) IP address - what are your accounting statements ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
On 02/08/2013 09:04 AM, Hocine M wrote: nobody? The only thing that stands out is the Called-Station-Id is different. This suggests to me that something about the accounting packets changes as the client moves around (associates to different APs) and that the accounting SQL queries you are using don't handle that. Which version of the server are you using, which SQL database, are you using the standard SQL query config and schema that comes with the server, and can you show a debug "radiusd -X" of an accounting packet (ideally a duplicate, but anything if not). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: few accounting records with same radacctid
nobody? Le 07/02/2013 13:25, Hocine M a écrit : hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Alan, Thank you for the info. Kelly 206.331.3525o 425.270.8481c On Wed 06 Feb 2013 11:41:42 AM PST, Alan DeKok wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
few accounting records with same radacctid
hello, In ma accounting table there are many records with the same radacctid for one username. In this case | 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | NULL| 192.168.58.5 | 00-26-3E-70-99-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | | 23554 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr | univ-rouen.fr| 2013-02-07 12:38:54 | 2013-02-07 12:39:41 | 192.168.58.4 | 00-0B-0E-A9-5B-C0:eduroam | 10.54.1.19 | CC-08-E0-BB-05-7E | Is it a normal records or is the simultaneous-use not working in my case? Thank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Kelly Roestel wrote: > Yes that works. However, if the attribute is empty there will still be > quotes in the csv file. If you want generic string manipulation code, use a real programming language. Or, write a "csv" module to do what you want. The linelog module is intended to write *lines of text*. That is, strings. It is *not* intended to write carefully formatted CSV files. It cannot be made to that, as CSV files are not simple text strings. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
Matthew, Yes that works. However, if the attribute is empty there will still be quotes in the csv file. Example. using format = "\"%{Client-IP-Address}\",\"%{Calling-Station-Id}\",\"%{User-Name}\"" would yield, "x.x.x.x","station-x","Kelly" if %{Calling-Station-Id} was null this format would yield. "x.x.x.x","","Kelly". I would like to have blank attribute not insert quotes. So my desired format would be "x.x.x.x",,"Kelly" Thank for the help so far. Kelly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius accounting of cdr and quotes for string attributes
On Tue, Feb 05, 2013 at 05:18:13PM +, Kelly Roestel wrote: > If you look at the detailed format, these string attributes are > enclosed. But there seems to be no option in linelog module. linelog { ... format = "\"%{Client-IP-Address}\",\"%{Calling-Station-Id}\",\"%{User-Name}\"" ... } Matthew -- Matthew Newton, Ph.D. Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius accounting of cdr and quotes for string attributes
My question is this, I need to write CDR information out using the linelog module in csv format. The requirement is that all string attributes need to be enclosed in double quotes. How does one go about doing this? If you look at the detailed format, these string attributes are enclosed. But there seems to be no option in linelog module. I am using freeradius v2.1.10. Thanks for any help Kelly - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user session & accounting mgmt
Suresh Kumar Subramanian wrote: > How do we maintain the session time in free radius? RADIUS doesn't do that. > For example, a given user the session time is configured for 1 hour. > > After 1 hour, radius server should initiate "Session disconnect message" > for the user to the NAS. No. RADIUS doesn't do that. The NAS maintains the timer. The NAS disconnects the user after one hour. The RADIUS server does nothing. > 2) where freeradius logs the accounting information? I have not > configured the mysql. Does freeradius supports flat file for storing > accounting records.? Yes. Read the "accounting" section of raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user session & accounting mgmt
Hi, I am newbie and I have couple of questions in the free radius. 1) How do we maintain the session time in free radius? For example, a given user the session time is configured for 1 hour. After 1 hour, radius server should initiate "Session disconnect message" for the user to the NAS. I understand that, Freeradius does support "session disconnect message", but we can achieve this with radclient utility. Ref: http://wiki.freeradius.org/protocol/Disconnect-Messages Here my problem is, how the session timeout is identified to trigger this disconnect message? Please help. 2) where freeradius logs the accounting information? I have not configured the mysql. Does freeradius supports flat file for storing accounting records.? Thanks Suresh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
So my radius client was missing some configuration. Now the client sends accounting packets to the server. Thanks for the help on that. Deepti On Sun, Feb 3, 2013 at 7:56 PM, Alan DeKok wrote: > Deepti kulkarni wrote: > > No, my "production" client is not sending any accounting packets. I am > > completely not sure how that can be set. > > If the NAS documentation doesn't say how to configure accounting, then > it doesn't do accounting. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error syntax in sql accounting.
Hocine M wrote: > Hi everybody, > > I always have an error in radius.log file : > > Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL > accounting START record - Erreur de syntaxe pr�s de '' � la ligne 1 Don't edit the configuration files and break them. You do understand what "Erreur de syntaxe" means, right? > I made my radacct accounting table with the schema founf in > /etc/freeradius/sql/mysql/schema.sql. > I use a mysql server databse. > > in my sql.conf i use the standard queries for accounting. It looks like you don't. Run the server in debugging mode, as suggested in the FAQ, "man" page, web pages, and daily on this list. Only that will tell you what's really going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error syntax in sql accounting.
Hi everybody, I always have an error in radius.log file : Mon Feb 4 16:16:52 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:01 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:06 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:10 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:15 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:24 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:26 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:34 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:47 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 Mon Feb 4 16:17:54 2013 : Error: [sql_acct] Couldn't insert SQL accounting START record - Erreur de syntaxe pr?s de '' ? la ligne 1 I made my radacct accounting table with the schema founf in /etc/freeradius/sql/mysql/schema.sql. I use a mysql server databse. in my sql.conf i use the standard queries for accounting. Any idea? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
Deepti kulkarni wrote: > No, my "production" client is not sending any accounting packets. I am > completely not sure how that can be set. If the NAS documentation doesn't say how to configure accounting, then it doesn't do accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
On Fri, Feb 1, 2013 at 5:50 PM, Alan DeKok wrote: > Deepti kulkarni wrote: > > Thank you the answers. I see that my freeradius server is receiving > > accounting request when I use "radclient" and it logs it as well. > > That's really not the point, is it? The point is whether or not the > *production* client sends accounting packets. > > > As you said that the client is responsible for sending accounting > > requests to the server, I am new to radius server and PAM, so not sure > > how this is done (apart from using radclient)? > > The PAM module doesn't do accounting. > > If you're using another NAS (switch, etc.) it should do accounting. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > No, my "production" client is not sending any accounting packets. I am completely not sure how that can be set. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
Deepti kulkarni wrote: > Thank you the answers. I see that my freeradius server is receiving > accounting request when I use "radclient" and it logs it as well. That's really not the point, is it? The point is whether or not the *production* client sends accounting packets. > As you said that the client is responsible for sending accounting > requests to the server, I am new to radius server and PAM, so not sure > how this is done (apart from using radclient)? The PAM module doesn't do accounting. If you're using another NAS (switch, etc.) it should do accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
Thank you the answers. I see that my freeradius server is receiving accounting request when I use "radclient" and it logs it as well. As you said that the client is responsible for sending accounting requests to the server, I am new to radius server and PAM, so not sure how this is done (apart from using radclient)? Pointers here would be appreciated. Thanks On Fri, Feb 1, 2013 at 8:20 AM, Alan DeKok wrote: > Deepti kulkarni wrote: > > The FAQ I looked at doesnt mention how-to configure accounting. Maybe I > > am looking at wrong place? http://wiki.freeradius.org/Home > > Does that look like the FAQ? There *IS* a FAQ link on that page. > Read it. > > The FAQ describes what to do when you don't receive accounting data. > > > Also, for the PAM, do I need to enable accounting on the client as well? > > No. > > > Is the client responsible for sending accounting packets to the > > freeradius server? > > Yes. > > > Please let me know the FAQ link you are referring. > > I fail to understand why it's difficult to go to "www.freeradius.org", > and click on the "FAQ" link. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
Deepti kulkarni wrote: > The FAQ I looked at doesnt mention how-to configure accounting. Maybe I > am looking at wrong place? http://wiki.freeradius.org/Home Does that look like the FAQ? There *IS* a FAQ link on that page. Read it. The FAQ describes what to do when you don't receive accounting data. > Also, for the PAM, do I need to enable accounting on the client as well? No. > Is the client responsible for sending accounting packets to the > freeradius server? Yes. > Please let me know the FAQ link you are referring. I fail to understand why it's difficult to go to "www.freeradius.org", and click on the "FAQ" link. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
On Thu, Jan 31, 2013 at 1:43 PM, Alan DeKok wrote: > Deepti kulkarni wrote: > > I am running Freeradius Server version 2.1.10 on a debian machine (64 > > bit). I have a debian client (using pam_radius_auth) for authentication > > and accounting. My client can authenticate into the the radius server, > > however, I dont see any accounting being done. > > Read the FAQ. This is answered there. > > > Is there any configuration required for the pam_radius_auth.so? > > Like what? The PAM module has documentation. Do you have a specific > question? > > > Also on the freeradius server, I uncommented a line from acct_users - > > > # Replace the User-Name with the Stripped-User-Name, if it exists. > > # > > DEFAULT > > User-Name := "%{Stripped-User-Name:-%{User-Name}}" > > No, that doesn't do what you want. > > Delete that. It's not necessary. The server already does the right > thing. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > The FAQ I looked at doesnt mention how-to configure accounting. Maybe I am looking at wrong place? http://wiki.freeradius.org/Home Also, for the PAM, do I need to enable accounting on the client as well? Is the client responsible for sending accounting packets to the freeradius server? Please let me know the FAQ link you are referring. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring accounting on Freeradius server
Deepti kulkarni wrote: > I am running Freeradius Server version 2.1.10 on a debian machine (64 > bit). I have a debian client (using pam_radius_auth) for authentication > and accounting. My client can authenticate into the the radius server, > however, I dont see any accounting being done. Read the FAQ. This is answered there. > Is there any configuration required for the pam_radius_auth.so? Like what? The PAM module has documentation. Do you have a specific question? > Also on the freeradius server, I uncommented a line from acct_users - > # Replace the User-Name with the Stripped-User-Name, if it exists. > # > DEFAULT > User-Name := "%{Stripped-User-Name:-%{User-Name}}" No, that doesn't do what you want. Delete that. It's not necessary. The server already does the right thing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring accounting on Freeradius server
Hello, I am running Freeradius Server version 2.1.10 on a debian machine (64 bit). I have a debian client (using pam_radius_auth) for authentication and accounting. My client can authenticate into the the radius server, however, I dont see any accounting being done. Attached is the radiusd -X output. Is there any configuration required for the pam_radius_auth.so? Also on the freeradius server, I uncommented a line from acct_users - root@debian:/etc/freeradius# cat acct_users # # $Id$ # # This is like the 'users' file, but it is processed only for # accounting packets. # # Select between different accounting methods based for example on the # Realm, the Huntgroup-Name or any combinaison of the attribute/value # pairs contained in an accounting packet. # #DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo # #DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi # #DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other # #DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start # Replace the User-Name with the Stripped-User-Name, if it exists. # DEFAULT User-Name := "%{Stripped-User-Name:-%{User-Name}}" root@debian:/etc/freeradius# Thanks in advance. radiusd-log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage Limit and Accounting Plan
On Tue, Jan 22, 2013 at 10:17 AM, Sokphak TOUCH wrote: > Thanks Russell for your respond. It would more appreciate if you can share > some document. At the mean time I will doing research about it. > > Regards, > Sokphak > > Understand the concept here, it is very easy with FreeRadius http://wiki.freeradius.org/modules/Rlm_sqlcounter Thanks > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage Limit and Accounting Plan
1. I need to limit the user monthly usage, for example bandwidth 2Mbps with 5GB monthly usage. 1a.) You would not need script, you need "RLM SQLCOUNTER" to limit daily/weekly/monthly traffic quota 1b.) you need to control the bandwidth using radius and radius client attributes, such as WISPr-Bandwidth-Max-Down; WISPr-Bandwidth-Max-Up Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Usage Limit and Accounting Plan
Thanks Russell for your respond. It would more appreciate if you can share some document. At the mean time I will doing research about it. Regards, Sokphak On Tue, Jan 22, 2013 at 4:52 PM, Russell Mike wrote: > > > > 1. I need to limit the user monthly usage, for example bandwidth 2Mbps > with 5GB monthly usage. > > 1a.) You would not need script, you need "RLM SQLCOUNTER" to limit > daily/weekly/monthly traffic quota > 1b.) you need to control the bandwidth using radius and radius client > attributes, such as WISPr-Bandwidth-Max-Down; WISPr-Bandwidth-Max-Up > > Thanks > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting question
On 01/21/2013 06:47 AM, Tzvika Gelber wrote: i'm looking to focus a problem i have - i think the main issue is not freeradius but it's a good place to ask. I have a server that's do both Radius and accounting for Wifi random users (web redirected system). now i just discovered that to authenticate the users i have to use the server "secret" password It's not a "server secret password". The correct term is "radius shared secret". on the accounting side i can use whatever i want and it will still work. (if the secret for the server is 12345 i can use abcde for the accounting and i'll get the accounting files). No, this doesn't work reliably. The question is this, if we stick to the AAA protocol do you really need the "radius secret" to use accounting? or can i just drop it? No. The secret is required for correct operation. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting question
i'm looking to focus a problem i have - i think the main issue is not freeradius but it's a good place to ask. I have a server that's do both Radius and accounting for Wifi random users (web redirected system). now i just discovered that to authenticate the users i have to use the server "secret" password on the accounting side i can use whatever i want and it will still work. (if the secret for the server is 12345 i can use abcde for the accounting and i'll get the accounting files). The question is this, if we stick to the AAA protocol do you really need the "radius secret" to use accounting? or can i just drop it? -- Sometimes you just glow in the dark... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usage Limit and Accounting Plan
Dear Team, I just done installation and configure FreeRadius for PPPoE users. And I need more feature to meet user requirement. Currently, it already work for bandwidth limit by use CISCO-AVpair attr to return to CISCO LNS. 1. I need to limit the user monthly usage, for example bandwidth 2Mbps with 5GB monthly usage. 2. After the monthly usage exceed, I want the user change their plan to 512Kbps for example. It would related to scripting, but I has no idea about scripting. If anyone already done with that, I really appreciate for your sharing. Thanks for helping from everyone in community. Regards, -- Sokphak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting with Freeradius.
I have one Freeradius server that i need to give to an outsource client of mine, the problem is that he is not a very Linux oriented (to put it gently) and have even less skills in any form of SQL. he is going to cover some of our tests and some of them are the accounting side of connected Clients. I know that FR has accounting enabled by default but in order to follow the accounting you need to have MySql installed and know how to look in to the SQL DB to fined the right entry's. is there a Graphic way to get that info? what i'm asking is this, does one of the "FreeRadius" GUI's out there can also interface with the MySql server and show the accounting info? if so - what one? Thank you. -- Sometimes you just glow in the dark... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
On Mon, Nov 12, 2012 at 2:25 AM, Fajar A. Nugraha wrote: > On Mon, Nov 12, 2012 at 2:29 PM, Dirk van der Walt > wrote: >> Although rlm_counter is primarily used as an introduction here to >> better understand the counter modules, the next section covers the >> rlm_sqlcounter module. This module is more flexible and preferred. > > If it were me I'd jump directly to rlm_sqlcounter. Among other things, > it uses data stored by sql accounting, where the query is fully > customizable. So you can (for example) change it to "if two acct-stop > packets arrive with the same Acct-Unique-Session-ID, update the record > to use whicever is higher". > > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Appreciated your great info. Right now I will not go with sql, this will run pfsense in a neoware box and mysql is to heavy for, but I will follow your instructions and try sql. Let u know my output, thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
On Mon, Nov 12, 2012 at 2:29 PM, Dirk van der Walt wrote: > Although rlm_counter is primarily used as an introduction here to > better understand the counter modules, the next section covers the > rlm_sqlcounter module. This module is more flexible and preferred. If it were me I'd jump directly to rlm_sqlcounter. Among other things, it uses data stored by sql accounting, where the query is fully customizable. So you can (for example) change it to "if two acct-stop packets arrive with the same Acct-Unique-Session-ID, update the record to use whicever is higher". -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
On Sun, Nov 11, 2012 at 5:45 AM, Alan DeKok wrote: > Periko Support wrote: >> On Sat, Nov 10, 2012 at 6:27 AM, Alan DeKok >> wrote: >>> What does the debug output say? > .. >> This is the output: > > You've given a lot of information, which is nice But please don't > send the output of "radtest". I didn't ask for it. It's not necessary. > > And you've deleted big chunks of the debug output. That *might* have > helped. > > What does the "counter" module configuration look like? Have you > edited it? If so, why? The default configuration works. > >> Nos a accounting stop: > ... >> rlm_counter: Packet Unique ID = 'e38661b89c4e83d0' >> rlm_counter: Searching the database for key 'alice' >> rlm_counter: Key found. >> rlm_counter: Counter Unique ID = 'e38661b89c4e83d0' >> rlm_counter: Unique IDs for user match. Droping the request. >> ++[daily] returns noop > > Well, that explains everything. It's not doing counting, and the > debug output shows this. The reason for running the server in debugging > mode is for people to READ IT. > > As for why that happens, I have no idea. I didn't write the counter > module, and I don't use it. > > So... what does the "counter" module configuration look like? Have > you edited it? If so, why? The default configuration works. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html counter daily { filename = ${db_dir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session reply-name = Session-Timeout # allowed-servicetype = Framed-User cache-size = 5000 } The book say that comment out the "allowed-servicetype = Framed-User", I had follow the book step by step. Freeradius is new for me, I want to used to manage users time by day, but first I want to understand how it works and setup everything from scratch. Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
Periko Support wrote: > On Sat, Nov 10, 2012 at 6:27 AM, Alan DeKok wrote: >> What does the debug output say? .. > This is the output: You've given a lot of information, which is nice But please don't send the output of "radtest". I didn't ask for it. It's not necessary. And you've deleted big chunks of the debug output. That *might* have helped. What does the "counter" module configuration look like? Have you edited it? If so, why? The default configuration works. > Nos a accounting stop: ... > rlm_counter: Packet Unique ID = 'e38661b89c4e83d0' > rlm_counter: Searching the database for key 'alice' > rlm_counter: Key found. > rlm_counter: Counter Unique ID = 'e38661b89c4e83d0' > rlm_counter: Unique IDs for user match. Droping the request. > ++[daily] returns noop Well, that explains everything. It's not doing counting, and the debug output shows this. The reason for running the server in debugging mode is for people to READ IT. As for why that happens, I have no idea. I didn't write the counter module, and I don't use it. So... what does the "counter" module configuration look like? Have you edited it? If so, why? The default configuration works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
On Sat, Nov 10, 2012 at 6:27 AM, Alan DeKok wrote: > Periko Support wrote: >> This works, but I would like to understand, I can try that steps a >> lot times and every time it give me the same result: 1770, doesn't >> suppose that every time I run the same steps the counter must be >> lower? > > Only if the NAS is sending accounting packets. > > What does the debug output say? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This is the output: radtest alice test 127.0.0.1 100 testing123 Sending Access-Request of id 32 to 127.0.0.1 port 1812 User-Name = "alice" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 100 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=32, length=40 Reply-Message = "Hello, alice" Session-Timeout = 300 debug: rad_recv: Access-Request packet from host 127.0.0.1 port 36311, id=32, length=75 User-Name = "alice" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 100 Message-Authenticator = 0x2c214bd6f2cb15d2c0d224a851ca167d # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry alice at line 170 [files] expand: Hello, %{User-Name} -> Hello, alice ++[files] returns ok rlm_counter: Entering module authorize code rlm_counter: Searching the database for key 'alice' rlm_counter: Could not find the requested key in the database. rlm_counter: Check item = 300, Count = 0 rlm_counter: res is greater than zero rlm_counter: (Check item - counter) is greater than zero rlm_counter: Authorized user alice, check_item=300, counter=0 rlm_counter: Sent Reply-Item for user alice, Type=Session-Timeout, value=300 ++[daily] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "test" [pap] Using clear text password "test" [pap] User authenticated successfully ++[pap] returns ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 32 to 127.0.0.1 port 36311 Reply-Message = "Hello, alice" Session-Timeout = 300 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +42 Ready to process requests. accouting start: radclient 127.0.0.1 auto testing123 -f 4088_06_acct_start.txt Received response ID 15, code 5, length = 20 debug: rad_recv: Accounting-Request packet from host 127.0.0.1 port 48415, id=15, length=144 Acct-Session-Id = "4D2BB8AC-0098" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "alice" NAS-Port = 0 Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless" Calling-Station-Id = "00-1C-B3-AA-AA-AA" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 48Mbps 802.11b" # Executing section preacct from file /etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4D2BB8AC-0098",User-Name = "alice"' [acct_unique] Acct-Unique-Session-ID = "e38661b89c4e83d0". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "alice", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [detail]expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/detail-20121110 [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/detail-20121110 [detail]expand: %t -> Sat Nov 10 19:35:50 2012 ++[detail] returns ok rlm_counter: We only run on Accounting-Stop packets. ++[daily] returns noop ++[unix] returns ok [radutmp] e
Re: accounting data
Periko Support wrote: > This works, but I would like to understand, I can try that steps a > lot times and every time it give me the same result: 1770, doesn't > suppose that every time I run the same steps the counter must be > lower? Only if the NAS is sending accounting packets. What does the debug output say? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting data
My Fault, this message wasn't finish, I will continue here.: On Fri, Nov 9, 2012 at 1:09 PM, Periko Support wrote: > Hi. > > Centos 5.x > FreeRadius 2.1.1. > > I'm reading the book freeradius beginners Guide chapter 6: accounting. > > Page 139. > > Amount of Time. > > I have follow the book, would like to setup my freeradius and be > able to manage users time per day. > > Following the book, it say that to test we better setup 3 files: > > start session > stop session > > Make some changes to freeradius config files. > > Now, with this things ready, I follow the steps to see how it works: > > step 7) auth user. > step 8) send an accounting start request. wait 30 seconds of more send a accounting stop request. step 9) auth the users again. The session time out will be 1800-30=1770. This works, but I would like to understand, I can try that steps a lot times and every time it give me the same result: 1770, doesn't suppose that every time I run the same steps the counter must be lower? If I run the start session and wait 2 minutes, the same behavior it give to me 1770. This software is new for me but I want to understand this, thanks!!! file: 4088_06_acct_start.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = "4D2BB8AC-0098" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "alice" NAS-Port = 0 Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless" Calling-Station-Id = "00-1C-B3-AA-AA-AA" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 48Mbps 802.11b" File: 4088_06_acct_stop.txt Packet-Type=4 Packet-Dst-Port=1813 Acct-Session-Id = "4D2BB8AC-0098" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "alice" NAS-Port = 0 Called-Station-Id = "00-02-6F-AA-AA-AA:My Wireless" Calling-Station-Id = "00-1C-B3-AA-AA-AA" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 48Mbps 802.11b" Acct-Session-Time = 30 Acct-Input-Packets = 25 Acct-Output-Packets = 7 Acct-Input-Octets = 3407 Acct-Output-Octets = 867 Acct-Terminate-Cause = User-Request Thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Hi Alan on 08.11.2012 21:06, Alan DeKok wrote: > Erich Titl wrote: >> Yes, I know if I also change the attribute to Cleartext-Password. Any >> plans to support NT-Password hashes? > > In dialup_admin? Send a patch. This works for me diff -urN freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf freeradius-server-2.2.0/dialup_admin/conf/admin.conf --- freeradius-server-2.2.0.orig/dialup_admin/conf/admin.conf 2012-11-09 07:30:40.0 +0100 +++ freeradius-server-2.2.0/dialup_admin/conf/admin.conf 2012-11-09 07:44:28.0 +0100 @@ -133,7 +133,7 @@ general_radius_server_secret: XX general_auth_request_file: %{general_base_dir}/conf/auth.request # -# can be one of crypt,md5,clear +# can be one of crypt,md5,clear,smbpass # general_encryption_method: crypt # diff -urN freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php --- freeradius-server-2.2.0.orig/dialup_admin/lib/crypt/smbpass.php 1970-01-01 01:00:00.0 +0100 +++ freeradius-server-2.2.0/dialup_admin/lib/crypt/smbpass.php 2012-11-09 07:43:43.0 +0100 @@ -0,0 +1,6 @@ + cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Erich Titl wrote: > Yes, I know if I also change the attribute to Cleartext-Password. Any > plans to support NT-Password hashes? In dialup_admin? Send a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Alan on 08.11.2012 19:10, Alan DeKok wrote: > Erich Titl wrote: >> # >> # can be one of crypt,md5,clear >> # >> general_encryption_method: crypt >> >> this appears to be used by the GUI >> >> Now with MSCHAP this appears not to work simply out of the box. Does one >> need to hack that code or is there a canonical way to be used for M$ W7 >> (P)EAP authentication? > > Change that from "crypt" to "clear". Then PEAP will work. Yes, I know if I also change the attribute to Cleartext-Password. Any plans to support NT-Password hashes? Thanks Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and DialupAdmin
Erich Titl wrote: > # > # can be one of crypt,md5,clear > # > general_encryption_method: crypt > > this appears to be used by the GUI > > Now with MSCHAP this appears not to work simply out of the box. Does one > need to hack that code or is there a canonical way to be used for M$ W7 > (P)EAP authentication? Change that from "crypt" to "clear". Then PEAP will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and DialupAdmin
Hi gents FR 2.0 I added a user to my datebase using the dialup_admin interface. The radcheck table shows the following mysql> select * from radcheck -> ; ++--+---+++ | id | username | attribute | op | value | ++--+---+++ | 2 | test | NT-Password | := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 4 | test1| User-Password | := | $1$SQZqMcWE$doZxYeK1Sb24QQJvmYpYm0 | ++--+---+++ Now this is interesting. I can log in using the test account with the NT-Password attribute. The one created by dialup_admin with the name of test1 and the attribute User-Password cannot be used from the same M$ Windows 7 PC, as was to be expected from the compatibility table. I looked into admin.conf and found # # can be one of crypt,md5,clear # general_encryption_method: crypt this appears to be used by the GUI Now with MSCHAP this appears not to work simply out of the box. Does one need to hack that code or is there a canonical way to be used for M$ W7 (P)EAP authentication? Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 4:27 PM, Erich Titl wrote: > I _guess_ it shows some accounting > > rad_recv: Accounting-Request packet from host 194.124.158.62 port 47037, > id=165, length=135 > Acct-Session-Id = "509ACAB9-000F" > Acct-Status-Type = Start Do some stuff first with the client (e.g. browsing), then disconnect. Look for accounting stop packet. If it doesn't show Acct-In-Octets and friends, then your AP is seriously broken. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
on 08.11.2012 09:01, Fajar A. Nugraha wrote: ... >> >> It is a ZyXEL, so basically a black box, even to the local vendor. > > > Just to be sure, you HAVE enabled sql in accounting section, right? I guess the fact that I have entries in the radacct table which correspond to actual connection attempts should prove that. mysql> select username,acctstarttime,acctstoptime,acctinputoctets from radacct; +--+-+-+-+ | username | acctstarttime | acctstoptime| acctinputoctets | +--+-+-+-+ | test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 | | test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 | | test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 | | test | 2012-11-07 21:20:53 | 2012-11-07 21:24:13 | 0 | | test | 2012-11-07 21:41:50 | 2012-11-07 21:42:13 | 0 | | test | 2012-11-07 21:42:43 | 2012-11-07 21:47:14 | 0 | | test | 2012-11-08 07:52:42 | 2012-11-08 07:55:45 | 0 | | test | 2012-11-08 08:35:15 | 2012-11-08 08:50:22 | 0 | | test | 2012-11-08 09:56:24 | 2012-11-08 10:02:28 | 0 | | test | 2012-11-08 10:06:58 | 2012-11-08 10:07:23 | 0 | | test | 2012-11-08 10:11:31 | 2012-11-08 10:12:06 | 0 | | test | 2012-11-08 10:12:20 | 2012-11-08 10:12:35 | 0 | | test | 2012-11-08 10:12:42 | 2012-11-08 10:13:11 | 0 | | test | 2012-11-08 10:13:27 | 2012-11-08 10:14:38 | 0 | | test | 2012-11-08 10:14:51 | NULL| 0 | +--+-+-+-+ > > If you want to be extra sure, run FR in debug mode, and do a > login-logout using a client (e.g. notebook) to the NAS (i.e. AP). FR > should print out what packets it received. If it DOESN'T show any > accounting packets, then your NAS doesn't send them, or hasn't been > configured to do so. I _guess_ it shows some accounting rad_recv: Accounting-Request packet from host 194.124.158.62 port 47037, id=165, length=135 Acct-Session-Id = "509ACAB9-000F" Acct-Status-Type = Start Acct-Authentic = RADIUS User-Name = "test" NAS-Port = 0 Called-Station-Id = "50-67-F0-38-A9-E5:ZyXEL" Calling-Station-Id = "74-F0-6D-07-9B-91" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] WARNING: Attribute NAS-Identifier was not found in request, unique ID MAY be inconsistent [acct_unique] Hashing 'NAS-Port = 0,,NAS-IP-Address = 194.124.158.62,Acct-Session-Id = "509ACAB9-000F",User-Name = "test"' [acct_unique] Acct-Unique-Session-ID = "de12b16f3f8a6cf8". ++[acct_unique] returns ok ++[files] returns noop # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default +- entering group accounting {...} [detail]expand: %{Packet-Src-IP-Address} -> 194.124.158.62 [detail]expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108 [detail] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/194.124.158.62/detail-20121108 [detail]expand: %t -> Thu Nov 8 10:22:38 2012 ++[detail] returns ok [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' [sql] expand: %{Acct-Delay-Time} -> [sql] ... expanding second conditional [sql] expand:INSERT INTO radacct (acctsessionid,acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime,acctstoptime, acctsessiontime, acctauthentic,connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay,xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0'
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:08 PM, Erich Titl wrote: >>> 2) I could see login and logout information, but no data usage, e.g. >>> dowload and upload sizes appear to be zeroes. >> >> Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send >> accounting packets. Blame your NAS :P > > :-( > > Do you have a recommendation for AP's that pass this information? > >> ... or to be more acccurate, look at your NAS documentation (or ask >> the vendor) how to get it to send accounting packets. > > It is a ZyXEL, so basically a black box, even to the local vendor. Just to be sure, you HAVE enabled sql in accounting section, right? If you want to be extra sure, run FR in debug mode, and do a login-logout using a client (e.g. notebook) to the NAS (i.e. AP). FR should print out what packets it received. If it DOESN'T show any accounting packets, then your NAS doesn't send them, or hasn't been configured to do so. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:43 PM, Erich Titl wrote: > Hi Fajar > > on 08.11.2012 08:16, Fajar A. Nugraha wrote: > ... > >> >> IIRC only one of them will be used. I suggest you dop MD5 (since it's >> useless for your purpose) and Cleartext (you don't want that, right?) >> and verify you use the correct NT-Password (use "smbencrypt" if you >> haven't already done so) > > Yes, it appears that authentication using NT-Password hash works fine > for M$. What would be the least common setting in a multi vendor > environment. I guess, OSX, for example, is using a different protocol. Most other supplicants can use EAP-MSCHAPv2 just fine, so you shouldn't have any problems with other OS. NT-Password should work with PAP as well, so PAP and TTLS-PAP should also work, if you need to choose that for some reason. Also note that storing NT-Passwords should be considered as insecure as storing cleartext password (since "cracking" MD4 hash is easy-enough), but at least you won't see the cleartext password in the database. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 08:16, Fajar A. Nugraha wrote: ... > > IIRC only one of them will be used. I suggest you dop MD5 (since it's > useless for your purpose) and Cleartext (you don't want that, right?) > and verify you use the correct NT-Password (use "smbencrypt" if you > haven't already done so) Yes, it appears that authentication using NT-Password hash works fine for M$. What would be the least common setting in a multi vendor environment. I guess, OSX, for example, is using a different protocol. > 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. >>> ... >> >> It is a ZyXEL, so basically a black box, even to the local vendor. > > > Then blame the vendor. Seriously. > > Why would you want to use something that even the local vendor can't support? > I am in an evaluation phase and this is a vendor with widespread acceptance here. Finding such a weakness is important as we will probably drop the product then. Unfortunately not everyone is really comfortable with open source products. This is just the kind of reality the vendors try to lock us in. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Thu, Nov 8, 2012 at 2:08 PM, Erich Titl wrote: > Thanks, I read that URL, actually that one guided me to enter a > Cleartext Password at all. See the column labeled "NT hash"? > > mysql> select * from radcheck; > ++--+++--+ > | id | username | attribute | op | value > | > ++--+++--+ > | 1 | test | MD5-Password | := | > 81dc9bdb52d04dc20036dbd8313ed055 | > | 2 | test | NT-Password| := | > 7CE21F17C0AEE7FB9CEBA532D0546AD6 | > | 3 | test | Cleartext-Password | := | 1234 > | > ++--+++--+ IIRC only one of them will be used. I suggest you dop MD5 (since it's useless for your purpose) and Cleartext (you don't want that, right?) and verify you use the correct NT-Password (use "smbencrypt" if you haven't already done so) >>> 2) I could see login and logout information, but no data usage, e.g. >>> dowload and upload sizes appear to be zeroes. >> >> Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send >> accounting packets. Blame your NAS :P > > :-( > > Do you have a recommendation for AP's that pass this information? Nope. Sorry. Try looking at the archives, I think Cisco boxes sends them. As an alternative, if you're fine with captive-portal setup, chillispot sends accounting packets just fine. >> ... or to be more acccurate, look at your NAS documentation (or ask >> the vendor) how to get it to send accounting packets. > > It is a ZyXEL, so basically a black box, even to the local vendor. Then blame the vendor. Seriously. Why would you want to use something that even the local vendor can't support? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
Hi Fajar on 08.11.2012 03:35, Fajar A. Nugraha wrote: > On Wed, Nov 7, 2012 at 10:16 PM, Erich Titl wrote: >> Hi Folks >> >> I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can >> connect through a ZyXEL NWA 3160 using credentials in the MySQL database >> using a M$ Windows 7 client. >> >> Everything is still quite raw and blurry to me. Could someone point me >> to the right dos for the following? >> >> 1) I had to enter cleartext password into the mysql database, apparently >> other formats were not accepted > > Because you use Windows client, which defaults to EAP-MSCHAPv2. See > http://deployingradius.com/documents/protocols/compatibility.html > If your main concern is "I don't want to store cleartext password in > db", you should be able to use NT-Password. Search the list archive, > there's a recent thread about this. Thanks, I read that URL, actually that one guided me to enter a Cleartext Password at all. mysql> select * from radcheck; ++--+++--+ | id | username | attribute | op | value | ++--+++--+ | 1 | test | MD5-Password | := | 81dc9bdb52d04dc20036dbd8313ed055 | | 2 | test | NT-Password| := | 7CE21F17C0AEE7FB9CEBA532D0546AD6 | | 3 | test | Cleartext-Password | := | 1234 | ++--+++--+ > >> >> 2) I could see login and logout information, but no data usage, e.g. >> dowload and upload sizes appear to be zeroes. > > Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send > accounting packets. Blame your NAS :P :-( Do you have a recommendation for AP's that pass this information? > ... or to be more acccurate, look at your NAS documentation (or ask > the vendor) how to get it to send accounting packets. It is a ZyXEL, so basically a black box, even to the local vendor. Thanks Erich smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql, Accounting and DialupAdmin
On Wed, Nov 7, 2012 at 10:16 PM, Erich Titl wrote: > Hi Folks > > I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can > connect through a ZyXEL NWA 3160 using credentials in the MySQL database > using a M$ Windows 7 client. > > Everything is still quite raw and blurry to me. Could someone point me > to the right dos for the following? > > 1) I had to enter cleartext password into the mysql database, apparently > other formats were not accepted Because you use Windows client, which defaults to EAP-MSCHAPv2. See http://deployingradius.com/documents/protocols/compatibility.html If your main concern is "I don't want to store cleartext password in db", you should be able to use NT-Password. Search the list archive, there's a recent thread about this. > > 2) I could see login and logout information, but no data usage, e.g. > dowload and upload sizes appear to be zeroes. Some NAS (e.g. AP's flashed with dd-wrt) simply doesn't send accounting packets. Blame your NAS :P ... or to be more acccurate, look at your NAS documentation (or ask the vendor) how to get it to send accounting packets. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql, Accounting and DialupAdmin
Hi Folks I succeeded to get my set up running with FR 2.2.0 and Mysql, e.g. I can connect through a ZyXEL NWA 3160 using credentials in the MySQL database using a M$ Windows 7 client. Everything is still quite raw and blurry to me. Could someone point me to the right dos for the following? 1) I had to enter cleartext password into the mysql database, apparently other formats were not accepted 2) I could see login and logout information, but no data usage, e.g. dowload and upload sizes appear to be zeroes. mysql> select username,acctstarttime,acctstoptime,acctoutputoctets,acctoutputoctets from radacct; +--+-+-+--+--+ | username | acctstarttime | acctstoptime| acctoutputoctets | acctoutputoctets | +--+-+-+--+--+ | test | 2012-11-07 15:09:47 | 2012-11-07 15:15:48 | 0 |0 | | test | 2012-11-07 15:15:48 | 2012-11-07 15:25:02 | 0 |0 | | test | 2012-11-07 15:25:32 | 2012-11-07 15:41:52 | 0 |0 | +--+-+-+--+--+ Thanks for hints Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring too-frequent accounting packets from buggy NAS
On 26/10/12 15:03, Arran Cudbard-Bell wrote: On 26 Oct 2012, at 14:51, Phil Mayers wrote: On 26/10/12 14:20, Arran Cudbard-Bell wrote: It can, see wiki :) http://wiki.freeradius.org/modules/Rlm_cache In fact it documents your *exact* use case with config examples and everything. *twilight zone music* Ha spooky! N.B. I note the module comments might confuse people, since it doesn't mention being run in "accounting" but seems to support it. Ah yes, fixed the examples. I was about to say "that worked like a charm" then radiusd segfaulted :o( I'll try to get a core dump. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring too-frequent accounting packets from buggy NAS
On 26 Oct 2012, at 14:51, Phil Mayers wrote: > On 26/10/12 14:20, Arran Cudbard-Bell wrote: > >> It can, see wiki :) >> >> http://wiki.freeradius.org/modules/Rlm_cache >> >> In fact it documents your *exact* use case with config examples and >> everything. *twilight zone music* > > Ha spooky! > > N.B. I note the module comments might confuse people, since it doesn't > mention being run in "accounting" but seems to support it. Ah yes, fixed the examples. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring too-frequent accounting packets from buggy NAS
On 26/10/12 14:20, Arran Cudbard-Bell wrote: It can, see wiki :) http://wiki.freeradius.org/modules/Rlm_cache In fact it documents your *exact* use case with config examples and everything. *twilight zone music* Ha spooky! N.B. I note the module comments might confuse people, since it doesn't mention being run in "accounting" but seems to support it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html