Re: FreeRadius and PIX 520 accounting

2005-07-14 Thread lmarante 

You're right, sorry

Here's what I get in my radius.log

Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor 
specific attributes do not exactly fill Vendor-Specific

That's the only error I get.






Alan DeKok [EMAIL PROTECTED]
Enviado por: [EMAIL PROTECTED]
13/07/2005 10:34 p.m.
Por favor, responda a FreeRadius users mailing list


Para:FreeRadius users mailing list freeradius-users@lists.freeradius.org
cc:
Asunto:Re: FreeRadius and PIX 520 accounting


[EMAIL PROTECTED] wrote:
 Last I checked, there was some kind of incompatibility between the packets 
 the firewall is sending and what FreeRadius is expecting to recieve.

 some kind? Can you say what, exactly?

 If you can't say what the incompatibility is, there's no way of
knowing if the problem is fixed, or even can be fixed.

 Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and PIX 520 accounting

2005-07-14 Thread Dusty Doris 
On Thu, 14 Jul 2005 [EMAIL PROTECTED] wrote:

 You're right, sorry

 Here's what I get in my radius.log

 Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor
 specific attributes do not exactly fill Vendor-Specific

 That's the only error I get.

Please run radius under debug mode (radiusd -X) and copy/paste the output
from when the packet comes in (so we can see all the attributes that are
sent) to where the error messages occurs.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and PIX 520 accounting

2005-07-14 Thread lmarante 
OK, Last time I tried accounting was 2 years ago so I kinda forgot how to do it or what I did to get that error.Today I enabled accounting in my PIX for all udp traffic (that would be ipsec) and in /usr/local/var/log/radius/radacct/mypixIP/ I got a file named detail-20050714 which has, for example these lines:Thu Jul 14 10:38:25 2005 Acct-Status-Type = Start NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.32 Login-TCP-Port = 1433 Acct-Session-Id = "0x01778531" User-Name = "sicslaag1" Cisco-AVPair = "ip:source-ip=192.168.128.3" Cisco-AVPair = "ip:source-port=1567" Cisco-AVPair = "ip:destination-ip=172.17.0.32" Cisco-AVPair = "ip:destination-port=1433" Client-IP-Address = 172.17.0.50 Acct-Unique-Session-Id = "2a8ae9a2feb3e9e9" Timestamp = 1121348305Thu Jul 14 10:38:26 2005 Acct-Status-Type = Stop NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.32 Login-TCP-Port = 1433 Acct-Session-Id = "0x01778531" User-Name = "sicslaag1" Acct-Session-Time = 0 Acct-Input-Octets = 710 Acct-Output-Octets = 676 Cisco-AVPair = "ip:source-ip=192.168.128.3" Cisco-AVPair = "ip:source-port=1567" Cisco-AVPair = "ip:destination-ip=172.17.0.32" Cisco-AVPair = "ip:destination-port=1433" Client-IP-Address = 172.17.0.50 Acct-Unique-Session-Id = "2a8ae9a2feb3e9e9" Timestamp = 1121348306Running radiusd -X would give me this (for another username):rad_recv: Accounting-Request packet from host 172.17.0.50:1646, id=17, length=217 Acct-Status-Type = Stop NAS-Port = 0 NAS-IP-Address = 172.17.0.50 Login-IP-Host = 172.17.0.17 Login-TCP-Port = 53 Acct-Session-Id = "0x01788b59" User-Name = "sicrgaag" Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 138 Cisco-AVPair = "ip:source-ip=192.168.128.12" Cisco-AVPair = "ip:source-port=53" Cisco-AVPair = "ip:destination-ip=172.17.0.17" Cisco-AVPair = "ip:destination-port=53"modcall: entering group preacct for request 1 modcall[preacct]: module "preprocess" returns noop for request 1 rlm_realm: No '@' in User-Name = "sicrgaag", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 1 modcall[preacct]: module "files" returns noop for request 1modcall: group preacct returns noop for request 1modcall: entering group accounting for request 1rlm_acct_unique: WARNING: Attribute NAS-Port-Id was not found in request, uniqueID MAY be inconsistentrlm_acct_unique: Hashing ',Client-IP-Address = 172.17.0.50,NAS-IP-Address = 172.17.0.50,Acct-Session-Id = "0x01788b59",User-Name = "sicrgaag"'rlm_acct_unique: Acct-Unique-Session-ID = "b9222392a2ba67aa". modcall[accounting]: module "acct_unique" returns ok for request 1radius_xlat: '/usr/local/var/log/radius/radacct/172.17.0.50/detail-20050714'rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%dexpands to /usr/local/var/log/radius/radacct/172.17.0.50/detail-20050714 modcall[accounting]: module "detail" returns ok for request 1rlm_counter: Packet Unique ID = 'b9222392a2ba67aa'rlm_counter: Could not find Service-Type attribute in the request. Returning NOOP. modcall[accounting]: module "counter" returns noop for request 1modcall: group accounting returns ok for request 1Sending Accounting-Response of id 17 to 172.17.0.50:1646Finished request 1Going to the next requestSorry for the LONG mail, but I don't really know if this means it's working now or it still isn't, but that what I get.Thanks, and again sorry for the long mail.Lior[EMAIL PROTECTED] wrote: -To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgFrom: Dusty Doris [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 07/14/2005 10:03AMSubject: Re: FreeRadius and PIX 520 accountingOn Thu, 14 Jul 2005 [EMAIL PROTECTED] wrote: You're right, sorry Here's what I get in my radius.log "Error: WARNING: Malformed RADIUS packet from host 172.17.: Vendor specific attributes do not exactly fill Vendor-Specific" That's the only error I get.Please run radius under debug mode (radiusd -X) and copy/paste the outputfrom when the packet comes in (so we can see all the attributes that aresent) to where the error messages occurs.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and PIX 520 accounting

2005-07-14 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: base64
 
 PEZPTlQgZmFjZT0iRGVmYXVsdCBTYW5zIFNlcmlmLCBWZXJkYW5hLCBBcmlhbCwgSGVsdmV0aWNh

  Base64-encoding text is wrong.

  Sending HTML to the list is wrong.

  Please fix your mailer to send text, not broken nonsense.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRadius and PIX 520 accounting

2005-07-13 Thread lmarante 

Hello everyone

This subject was once asked but I've never seen a clear answer about it.

I'm using FreeRadius 0.9.3 to authenticate our VPN users connecting through our PIX 520 with OS version 6.3. I'd like to enable accounting also so I can restrict only one connection per user simultaneously.

Last I checked, there was some kind of incompatibility between the packets the firewall is sending and what FreeRadius is expecting to recieve. I wanted to know if this is somehow patched in 1.0.4 or if it will still not work.

Also, if it's not fixed in freeradius, anyone knows if upgrading to the OS version 7 will fix it ?

Thanks in advance.

Lior Marantenboim.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and PIX 520 accounting

2005-07-13 Thread Alan DeKok 
[EMAIL PROTECTED] wrote:
 Last I checked, there was some kind of incompatibility between the packets 
 the firewall is sending and what FreeRadius is expecting to recieve.

  some kind?  Can you say what, exactly?

  If you can't say what the incompatibility is, there's no way of
knowing if the problem is fixed, or even can be fixed.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html