(RADIATOR) Calling and Called-Station-Id accounting?

Terry Simons galimore at mac.com
Thu Oct 16 01:21:35 CDT 2003 

Hugh,

This is actually that D-Link AP900+ that I've been testing...

I'll try the same thing with an AP-2000.

Might it be interesting to keep track if which devices are broken in  
this regard?

If all else fails I'll take a look at the eap_anon_hooks.pl script.  (I  
had already started looking at that before I got your intial reply).   
I'm not exactly sure how things fit together with that, but I guess  
I'll learn. ;-)

Thanks!

- Terry

On Oct 16, 2003, at 12:09 AM, Hugh Irvine wrote:

>
> Hello Terry -
>
> It is not you - it is the access point that is goofy - it is not  
> returning the Class attribute in the accounting requests (which is  
> quite broken). For the other problem, you should add quotes around the  
> second part of the AddToReply:
>
>        AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"
>
> Although if the access point doesn't include the Class attribute in  
> the accounting requests this won't help I'm afraid. You should talk to  
> your vendor and point out the error of their ways (this is a bug in my  
> opinion).
>
> I guess you could modify Mike's "eap_anon_hook.pl" as an alternative  
> approach (its in the "goodies").
>
> regards
>
> Hugh
>
>
> On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons  
> wrote:
>
>> Hugh,
>>
>> This doesn't seem to be working for me.
>>
>> Can you take a look at my debugging output and configuration?
>>
>> Here's what I'm seeing:
>>
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
>> Wed Oct 15 21:09:35 2003: DEBUG:  Deleting session for terry,  
>> 10.0.0.20,
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE:  
>> FILE_AUTH
>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match  
>> with terry
>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>> Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner  
>> authentication redespatched to a Handler
>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>> Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
>> *** Sending to 10.0.0.20 port 1258 ....
>> Code:       Access-Accept
>> Identifier: 122
>> Authentic:   
>> <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
>> Attributes:
>>         Class = "Calling-Station-Id = "
>>         Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
>>         MS-MPPE-Send-Key =  
>> "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><17 
>> 7><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132>< 
>> 185>d<167><203><251><28><188><197><189><244>Eo"
>>         MS-MPPE-Recv-Key =  
>> "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31> 
>> <255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<227 
>> ><206><160> J<252><199><130>"
>>         EAP-Message = <3><6><0><4>
>>         Message-Authenticator =  
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>> *** Received from 10.0.0.20 port 1259 ....
>> Code:       Accounting-Request
>> Identifier: 123
>> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>> Attributes:
>>         Acct-Status-Type = Start
>>         User-Name = "terry"
>>         Acct-Session-Id = "000080480043"
>>         NAS-IP-Address = 10.0.0.20
>>         NAS-Port = 0
>>         Acct-Authentic = RADIUS
>>         NAS-Identifier = "WardriveMe"
>>         Acct-Delay-Time = 0
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
>> Wed Oct 15 21:09:36 2003: DEBUG:  Adding session for terry,  
>> 10.0.0.20, 0
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with  
>> Radius::AuthSQL
>> Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into  
>> dot1xAccountingDB (Class) values('')':
>>
>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE:  
>> FILE_AUTH
>> Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>> *** Sending to 10.0.0.20 port 1259 ....
>> Code:       Accounting-Response
>> Identifier: 123
>> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>> Attributes:
>>
>>
>> If you look closely, you'll notice that the "Class" variable is  
>> printed twice.  Once with a value, once without... this alone seems  
>> somewhat odd.  Why is it getting displayed twice?
>>
>> Also, this information still isn't available to me for accounting,  
>> which is also apparent above.  My attempt to account for '%{Class}'  
>> is turning up a NULL value.
>>
>> Am I doing something wrong, or is this just being goofy?
>>
>> It seems to be almost what I want, but not quite.
>>
>> Here is my test configuration:
>>
>> Foreground
>> LogStdout
>>
>> LogDir          /usr/local/var/log/radius.log
>> LogFile         %L/logfile
>> DbDir           /usr/local/etc
>> Trace           4
>>
>> AuthPort 1812
>> AcctPort 1813
>>
>> <Client DEFAULT>
>>         NoIgnoreDuplicates Access-Challenge
>>         NoIgnoreDuplicates Access-Request
>>         DupInterval 0
>>         AddToRequest %{Class}
>> </Client>
>>
>> <AuthBy SQL>
>>         Identifier      ACCT_ONLY
>>
>>         DBSource         
>> dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
>>         DBUsername      NOT_NEEDED
>>         DBAuth          NOT_NEEDED
>>
>>         AcctSQLStatement insert into dot1xAccountingDB \
>>         (\
>>         Class\
>>         ) \
>>         values\
>>         (\
>>         '%{Class}'\
>>         )
>>
>>        AuthSelect
>> </AuthBy>
>>
>> <AuthBy FILE>
>>        Identifier FILE_AUTH
>>        Filename                        /usr/local/etc/users
>>        EAPType                         TTLS TLS MD5-Challenge  
>> MSCHAP-V2
>>        EAPTLS_MaxFragmentSize          1024
>>        EAPTLS_CAFile                   /etc/radiator/CA.pem
>>        EAPTLS_CertificateType          PEM
>>        EAPTLS_CertificateFile          /etc/radiator/Server.pem
>>        EAPTLS_PrivateKeyFile           /etc/radiator/Server.pem
>>        EAPTLS_PrivateKeyPassword       NOTMYPASSWORD
>>
>>        EAPTLS_SessionResumption 0
>>        AutoMPPEKeys
>>        AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}
>> </AuthBy>
>>
>> <Handler TunneledByTTLS=1>
>>     AuthBy         FILE_AUTH
>> </Handler>
>>
>> <Handler>
>>     AuthByPolicy    ContinueAlways
>>
>>     AuthBy         ACCT_ONLY
>>
>>     AuthBy         FILE_AUTH
>> </Handler>
>>
>>
>> On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
>>
>>>
>>> Hello Terry -
>>>
>>> There are some useful tricks that you can employ in this situation.
>>>
>>> # define Client clause
>>>
>>> <Client ....>
>>> 	Secret .....
>>> 	AddToRequest %{Class}
>>> 	.....
>>> </Client>
>>>
>>> # define AuthBy clause
>>>
>>> <AuthBy ...>
>>> 	Identifier MyAuthBy
>>> 	.....
>>> 	AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \
>>> 					Called-Station-Id = %{Called-Station-Id}
>>> </AuthBy>
>>>
>>> # define Realm of Handler
>>>
>>> <Handler ...>
>>> 	AuthBy MyAuthBy
>>> 	.....
>>> </Handler>
>>>
>>>
>>> regards
>>>
>>> Hugh
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list