(RADIATOR) Calling and Called-Station-Id accounting?
Terry Simons
galimore at mac.com
Thu Oct 16 01:21:35 CDT 2003
Hugh,
This is actually that D-Link AP900+ that I've been testing...
I'll try the same thing with an AP-2000.
Might it be interesting to keep track if which devices are broken in
this regard?
If all else fails I'll take a look at the eap_anon_hooks.pl script. (I
had already started looking at that before I got your intial reply).
I'm not exactly sure how things fit together with that, but I guess
I'll learn. ;-)
Thanks!
- Terry
On Oct 16, 2003, at 12:09 AM, Hugh Irvine wrote:
>
> Hello Terry -
>
> It is not you - it is the access point that is goofy - it is not
> returning the Class attribute in the accounting requests (which is
> quite broken). For the other problem, you should add quotes around the
> second part of the AddToReply:
>
> AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"
>
> Although if the access point doesn't include the Class attribute in
> the accounting requests this won't help I'm afraid. You should talk to
> your vendor and point out the error of their ways (this is a bug in my
> opinion).
>
> I guess you could modify Mike's "eap_anon_hook.pl" as an alternative
> approach (its in the "goodies").
>
> regards
>
> Hugh
>
>
> On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons
> wrote:
>
>> Hugh,
>>
>> This doesn't seem to be working for me.
>>
>> Can you take a look at my debugging output and configuration?
>>
>> Here's what I'm seeing:
>>
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
>> Wed Oct 15 21:09:35 2003: DEBUG: Deleting session for terry,
>> 10.0.0.20,
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE:
>> FILE_AUTH
>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match
>> with terry
>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>> Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner
>> authentication redespatched to a Handler
>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>> Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
>> *** Sending to 10.0.0.20 port 1258 ....
>> Code: Access-Accept
>> Identifier: 122
>> Authentic:
>> <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
>> Attributes:
>> Class = "Calling-Station-Id = "
>> Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
>> MS-MPPE-Send-Key =
>> "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><17
>> 7><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132><
>> 185>d<167><203><251><28><188><197><189><244>Eo"
>> MS-MPPE-Recv-Key =
>> "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31>
>> <255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<227
>> ><206><160> J<252><199><130>"
>> EAP-Message = <3><6><0><4>
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>> *** Received from 10.0.0.20 port 1259 ....
>> Code: Accounting-Request
>> Identifier: 123
>> Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>> Attributes:
>> Acct-Status-Type = Start
>> User-Name = "terry"
>> Acct-Session-Id = "000080480043"
>> NAS-IP-Address = 10.0.0.20
>> NAS-Port = 0
>> Acct-Authentic = RADIUS
>> NAS-Identifier = "WardriveMe"
>> Acct-Delay-Time = 0
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
>> Wed Oct 15 21:09:36 2003: DEBUG: Adding session for terry,
>> 10.0.0.20, 0
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with
>> Radius::AuthSQL
>> Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into
>> dot1xAccountingDB (Class) values('')':
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE:
>> FILE_AUTH
>> Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>> *** Sending to 10.0.0.20 port 1259 ....
>> Code: Accounting-Response
>> Identifier: 123
>> Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>> Attributes:
>>
>>
>> If you look closely, you'll notice that the "Class" variable is
>> printed twice. Once with a value, once without... this alone seems
>> somewhat odd. Why is it getting displayed twice?
>>
>> Also, this information still isn't available to me for accounting,
>> which is also apparent above. My attempt to account for '%{Class}'
>> is turning up a NULL value.
>>
>> Am I doing something wrong, or is this just being goofy?
>>
>> It seems to be almost what I want, but not quite.
>>
>> Here is my test configuration:
>>
>> Foreground
>> LogStdout
>>
>> LogDir /usr/local/var/log/radius.log
>> LogFile %L/logfile
>> DbDir /usr/local/etc
>> Trace 4
>>
>> AuthPort 1812
>> AcctPort 1813
>>
>> <Client DEFAULT>
>> NoIgnoreDuplicates Access-Challenge
>> NoIgnoreDuplicates Access-Request
>> DupInterval 0
>> AddToRequest %{Class}
>> </Client>
>>
>> <AuthBy SQL>
>> Identifier ACCT_ONLY
>>
>> DBSource
>> dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
>> DBUsername NOT_NEEDED
>> DBAuth NOT_NEEDED
>>
>> AcctSQLStatement insert into dot1xAccountingDB \
>> (\
>> Class\
>> ) \
>> values\
>> (\
>> '%{Class}'\
>> )
>>
>> AuthSelect
>> </AuthBy>
>>
>> <AuthBy FILE>
>> Identifier FILE_AUTH
>> Filename /usr/local/etc/users
>> EAPType TTLS TLS MD5-Challenge
>> MSCHAP-V2
>> EAPTLS_MaxFragmentSize 1024
>> EAPTLS_CAFile /etc/radiator/CA.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_CertificateFile /etc/radiator/Server.pem
>> EAPTLS_PrivateKeyFile /etc/radiator/Server.pem
>> EAPTLS_PrivateKeyPassword NOTMYPASSWORD
>>
>> EAPTLS_SessionResumption 0
>> AutoMPPEKeys
>> AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}
>> </AuthBy>
>>
>> <Handler TunneledByTTLS=1>
>> AuthBy FILE_AUTH
>> </Handler>
>>
>> <Handler>
>> AuthByPolicy ContinueAlways
>>
>> AuthBy ACCT_ONLY
>>
>> AuthBy FILE_AUTH
>> </Handler>
>>
>>
>> On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
>>
>>>
>>> Hello Terry -
>>>
>>> There are some useful tricks that you can employ in this situation.
>>>
>>> # define Client clause
>>>
>>> <Client ....>
>>> Secret .....
>>> AddToRequest %{Class}
>>> .....
>>> </Client>
>>>
>>> # define AuthBy clause
>>>
>>> <AuthBy ...>
>>> Identifier MyAuthBy
>>> .....
>>> AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \
>>> Called-Station-Id = %{Called-Station-Id}
>>> </AuthBy>
>>>
>>> # define Realm of Handler
>>>
>>> <Handler ...>
>>> AuthBy MyAuthBy
>>> .....
>>> </Handler>
>>>
>>>
>>> regards
>>>
>>> Hugh
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list