(RADIATOR) Calling and Called-Station-Id accounting?

Hugh Irvine hugh at open.com.au
Thu Oct 16 01:09:02 CDT 2003 

Hello Terry -

It is not you - it is the access point that is goofy - it is not  
returning the Class attribute in the accounting requests (which is  
quite broken). For the other problem, you should add quotes around the  
second part of the AddToReply:

        AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"

Although if the access point doesn't include the Class attribute in the  
accounting requests this won't help I'm afraid. You should talk to your  
vendor and point out the error of their ways (this is a bug in my  
opinion).

I guess you could modify Mike's "eap_anon_hook.pl" as an alternative  
approach (its in the "goodies").

regards

Hugh


On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons  
wrote:

> Hugh,
>
> This doesn't seem to be working for me.
>
> Can you take a look at my debugging output and configuration?
>
> Here's what I'm seeing:
>
> Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
> Wed Oct 15 21:09:35 2003: DEBUG:  Deleting session for terry,  
> 10.0.0.20,
> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE:  
> FILE_AUTH
> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match with  
> terry
> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
> Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner  
> authentication redespatched to a Handler
> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
> Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
> *** Sending to 10.0.0.20 port 1258 ....
> Code:       Access-Accept
> Identifier: 122
> Authentic:   
> <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
> Attributes:
>         Class = "Calling-Station-Id = "
>         Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
>         MS-MPPE-Send-Key =  
> "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><177 
> ><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132><18 
> 5>d<167><203><251><28><188><197><189><244>Eo"
>         MS-MPPE-Recv-Key =  
> "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31>< 
> 255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<227>< 
> 206><160> J<252><199><130>"
>         EAP-Message = <3><6><0><4>
>         Message-Authenticator =  
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
> *** Received from 10.0.0.20 port 1259 ....
> Code:       Accounting-Request
> Identifier: 123
> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
> Attributes:
>         Acct-Status-Type = Start
>         User-Name = "terry"
>         Acct-Session-Id = "000080480043"
>         NAS-IP-Address = 10.0.0.20
>         NAS-Port = 0
>         Acct-Authentic = RADIUS
>         NAS-Identifier = "WardriveMe"
>         Acct-Delay-Time = 0
>
> Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
> Wed Oct 15 21:09:36 2003: DEBUG:  Adding session for terry, 10.0.0.20,  
> 0
> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
> Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with  
> Radius::AuthSQL
> Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into  
> dot1xAccountingDB (Class) values('')':
>
> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE:  
> FILE_AUTH
> Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
> *** Sending to 10.0.0.20 port 1259 ....
> Code:       Accounting-Response
> Identifier: 123
> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
> Attributes:
>
>
> If you look closely, you'll notice that the "Class" variable is  
> printed twice.  Once with a value, once without... this alone seems  
> somewhat odd.  Why is it getting displayed twice?
>
> Also, this information still isn't available to me for accounting,  
> which is also apparent above.  My attempt to account for '%{Class}' is  
> turning up a NULL value.
>
> Am I doing something wrong, or is this just being goofy?
>
> It seems to be almost what I want, but not quite.
>
> Here is my test configuration:
>
> Foreground
> LogStdout
>
> LogDir          /usr/local/var/log/radius.log
> LogFile         %L/logfile
> DbDir           /usr/local/etc
> Trace           4
>
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
>         NoIgnoreDuplicates Access-Challenge
>         NoIgnoreDuplicates Access-Request
>         DupInterval 0
>         AddToRequest %{Class}
> </Client>
>
> <AuthBy SQL>
>         Identifier      ACCT_ONLY
>
>         DBSource         
> dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
>         DBUsername      NOT_NEEDED
>         DBAuth          NOT_NEEDED
>
>         AcctSQLStatement insert into dot1xAccountingDB \
>         (\
>         Class\
>         ) \
>         values\
>         (\
>         '%{Class}'\
>         )
>
>        AuthSelect
> </AuthBy>
>
> <AuthBy FILE>
>        Identifier FILE_AUTH
>        Filename                        /usr/local/etc/users
>        EAPType                         TTLS TLS MD5-Challenge MSCHAP-V2
>        EAPTLS_MaxFragmentSize          1024
>        EAPTLS_CAFile                   /etc/radiator/CA.pem
>        EAPTLS_CertificateType          PEM
>        EAPTLS_CertificateFile          /etc/radiator/Server.pem
>        EAPTLS_PrivateKeyFile           /etc/radiator/Server.pem
>        EAPTLS_PrivateKeyPassword       NOTMYPASSWORD
>
>        EAPTLS_SessionResumption 0
>        AutoMPPEKeys
>        AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}
> </AuthBy>
>
> <Handler TunneledByTTLS=1>
>     AuthBy         FILE_AUTH
> </Handler>
>
> <Handler>
>     AuthByPolicy    ContinueAlways
>
>     AuthBy         ACCT_ONLY
>
>     AuthBy         FILE_AUTH
> </Handler>
>
>
> On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
>
>>
>> Hello Terry -
>>
>> There are some useful tricks that you can employ in this situation.
>>
>> # define Client clause
>>
>> <Client ....>
>> 	Secret .....
>> 	AddToRequest %{Class}
>> 	.....
>> </Client>
>>
>> # define AuthBy clause
>>
>> <AuthBy ...>
>> 	Identifier MyAuthBy
>> 	.....
>> 	AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \
>> 					Called-Station-Id = %{Called-Station-Id}
>> </AuthBy>
>>
>> # define Realm of Handler
>>
>> <Handler ...>
>> 	AuthBy MyAuthBy
>> 	.....
>> </Handler>
>>
>>
>> regards
>>
>> Hugh
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list