(RADIATOR) Calling and Called-Station-Id accounting?
Hugh Irvine
hugh at open.com.au
Thu Oct 16 02:33:06 CDT 2003
Hi Terry -
On Thursday, Oct 16, 2003, at 16:21 Australia/Melbourne, Terry Simons
wrote:
> Hugh,
>
> This is actually that D-Link AP900+ that I've been testing...
>
Yes I 've got one here now as well, although I can't get it to work.
What is the magic incantation?
> I'll try the same thing with an AP-2000.
>
Yup.
> Might it be interesting to keep track if which devices are broken in
> this regard?
>
Sadly this is impossible as there are new versions of firmware
appearing for all vendors on a daily basis.
And most vendors seem to think that accounting is optional at best.
> If all else fails I'll take a look at the eap_anon_hooks.pl script.
> (I had already started looking at that before I got your intial
> reply). I'm not exactly sure how things fit together with that, but I
> guess I'll learn. ;-)
>
You just need to put the Calling-Station-Id and Called-Station-Id into
a database table when you receive the access request, then retrieve
them when you get the accounting requests. The example hook does the
same thing for the username.
regards
Hugh
> Thanks!
>
> - Terry
>
> On Oct 16, 2003, at 12:09 AM, Hugh Irvine wrote:
>
>>
>> Hello Terry -
>>
>> It is not you - it is the access point that is goofy - it is not
>> returning the Class attribute in the accounting requests (which is
>> quite broken). For the other problem, you should add quotes around
>> the second part of the AddToReply:
>>
>> AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"
>>
>> Although if the access point doesn't include the Class attribute in
>> the accounting requests this won't help I'm afraid. You should talk
>> to your vendor and point out the error of their ways (this is a bug
>> in my opinion).
>>
>> I guess you could modify Mike's "eap_anon_hook.pl" as an alternative
>> approach (its in the "goodies").
>>
>> regards
>>
>> Hugh
>>
>>
>> On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons
>> wrote:
>>
>>> Hugh,
>>>
>>> This doesn't seem to be working for me.
>>>
>>> Can you take a look at my debugging output and configuration?
>>>
>>> Here's what I'm seeing:
>>>
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
>>> Wed Oct 15 21:09:35 2003: DEBUG: Deleting session for terry,
>>> 10.0.0.20,
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE:
>>> FILE_AUTH
>>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match
>>> with terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner
>>> authentication redespatched to a Handler
>>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
>>> *** Sending to 10.0.0.20 port 1258 ....
>>> Code: Access-Accept
>>> Identifier: 122
>>> Authentic:
>>> <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
>>> Attributes:
>>> Class = "Calling-Station-Id = "
>>> Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
>>> MS-MPPE-Send-Key =
>>> "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><1
>>> 77><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132
>>> ><185>d<167><203><251><28><188><197><189><244>Eo"
>>> MS-MPPE-Recv-Key =
>>> "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31
>>> ><255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<2
>>> 27><206><160> J<252><199><130>"
>>> EAP-Message = <3><6><0><4>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>>> *** Received from 10.0.0.20 port 1259 ....
>>> Code: Accounting-Request
>>> Identifier: 123
>>> Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>>> Attributes:
>>> Acct-Status-Type = Start
>>> User-Name = "terry"
>>> Acct-Session-Id = "000080480043"
>>> NAS-IP-Address = 10.0.0.20
>>> NAS-Port = 0
>>> Acct-Authentic = RADIUS
>>> NAS-Identifier = "WardriveMe"
>>> Acct-Delay-Time = 0
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
>>> Wed Oct 15 21:09:36 2003: DEBUG: Adding session for terry,
>>> 10.0.0.20, 0
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with
>>> Radius::AuthSQL
>>> Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into
>>> dot1xAccountingDB (Class) values('')':
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE:
>>> FILE_AUTH
>>> Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
>>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>>> *** Sending to 10.0.0.20 port 1259 ....
>>> Code: Accounting-Response
>>> Identifier: 123
>>> Authentic: <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>>> Attributes:
>>>
>>>
>>> If you look closely, you'll notice that the "Class" variable is
>>> printed twice. Once with a value, once without... this alone seems
>>> somewhat odd. Why is it getting displayed twice?
>>>
>>> Also, this information still isn't available to me for accounting,
>>> which is also apparent above. My attempt to account for '%{Class}'
>>> is turning up a NULL value.
>>>
>>> Am I doing something wrong, or is this just being goofy?
>>>
>>> It seems to be almost what I want, but not quite.
>>>
>>> Here is my test configuration:
>>>
>>> Foreground
>>> LogStdout
>>>
>>> LogDir /usr/local/var/log/radius.log
>>> LogFile %L/logfile
>>> DbDir /usr/local/etc
>>> Trace 4
>>>
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client DEFAULT>
>>> NoIgnoreDuplicates Access-Challenge
>>> NoIgnoreDuplicates Access-Request
>>> DupInterval 0
>>> AddToRequest %{Class}
>>> </Client>
>>>
>>> <AuthBy SQL>
>>> Identifier ACCT_ONLY
>>>
>>> DBSource
>>> dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
>>> DBUsername NOT_NEEDED
>>> DBAuth NOT_NEEDED
>>>
>>> AcctSQLStatement insert into dot1xAccountingDB \
>>> (\
>>> Class\
>>> ) \
>>> values\
>>> (\
>>> '%{Class}'\
>>> )
>>>
>>> AuthSelect
>>> </AuthBy>
>>>
>>> <AuthBy FILE>
>>> Identifier FILE_AUTH
>>> Filename /usr/local/etc/users
>>> EAPType TTLS TLS MD5-Challenge
>>> MSCHAP-V2
>>> EAPTLS_MaxFragmentSize 1024
>>> EAPTLS_CAFile /etc/radiator/CA.pem
>>> EAPTLS_CertificateType PEM
>>> EAPTLS_CertificateFile /etc/radiator/Server.pem
>>> EAPTLS_PrivateKeyFile /etc/radiator/Server.pem
>>> EAPTLS_PrivateKeyPassword NOTMYPASSWORD
>>>
>>> EAPTLS_SessionResumption 0
>>> AutoMPPEKeys
>>> AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}
>>> </AuthBy>
>>>
>>> <Handler TunneledByTTLS=1>
>>> AuthBy FILE_AUTH
>>> </Handler>
>>>
>>> <Handler>
>>> AuthByPolicy ContinueAlways
>>>
>>> AuthBy ACCT_ONLY
>>>
>>> AuthBy FILE_AUTH
>>> </Handler>
>>>
>>>
>>> On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Terry -
>>>>
>>>> There are some useful tricks that you can employ in this situation.
>>>>
>>>> # define Client clause
>>>>
>>>> <Client ....>
>>>> Secret .....
>>>> AddToRequest %{Class}
>>>> .....
>>>> </Client>
>>>>
>>>> # define AuthBy clause
>>>>
>>>> <AuthBy ...>
>>>> Identifier MyAuthBy
>>>> .....
>>>> AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \
>>>> Called-Station-Id = %{Called-Station-Id}
>>>> </AuthBy>
>>>>
>>>> # define Realm of Handler
>>>>
>>>> <Handler ...>
>>>> AuthBy MyAuthBy
>>>> .....
>>>> </Handler>
>>>>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list