(RADIATOR) Calling and Called-Station-Id accounting?

Hugh Irvine hugh at open.com.au
Thu Oct 16 02:33:06 CDT 2003 

Hi Terry -

On Thursday, Oct 16, 2003, at 16:21 Australia/Melbourne, Terry Simons  
wrote:

> Hugh,
>
> This is actually that D-Link AP900+ that I've been testing...
>

Yes I 've got one here now as well, although I can't get it to work.

What is the magic incantation?

> I'll try the same thing with an AP-2000.
>

Yup.

> Might it be interesting to keep track if which devices are broken in  
> this regard?
>

Sadly this is impossible as there are new versions of firmware  
appearing for all vendors on a daily basis.

And most vendors seem to think that accounting is optional at best.

> If all else fails I'll take a look at the eap_anon_hooks.pl script.   
> (I had already started looking at that before I got your intial  
> reply).  I'm not exactly sure how things fit together with that, but I  
> guess I'll learn. ;-)
>

You just need to put the Calling-Station-Id and Called-Station-Id into  
a database table when you receive the access request, then retrieve  
them when you get the accounting requests. The example hook does the  
same thing for the username.

regards

Hugh


> Thanks!
>
> - Terry
>
> On Oct 16, 2003, at 12:09 AM, Hugh Irvine wrote:
>
>>
>> Hello Terry -
>>
>> It is not you - it is the access point that is goofy - it is not  
>> returning the Class attribute in the accounting requests (which is  
>> quite broken). For the other problem, you should add quotes around  
>> the second part of the AddToReply:
>>
>>        AddToReply Class = "Calling-Station-Id = %{Calling-Station-Id}"
>>
>> Although if the access point doesn't include the Class attribute in  
>> the accounting requests this won't help I'm afraid. You should talk  
>> to your vendor and point out the error of their ways (this is a bug  
>> in my opinion).
>>
>> I guess you could modify Mike's "eap_anon_hook.pl" as an alternative  
>> approach (its in the "goodies").
>>
>> regards
>>
>> Hugh
>>
>>
>> On Thursday, Oct 16, 2003, at 13:16 Australia/Melbourne, Terry Simons  
>> wrote:
>>
>>> Hugh,
>>>
>>> This doesn't seem to be working for me.
>>>
>>> Can you take a look at my debugging output and configuration?
>>>
>>> Here's what I'm seeing:
>>>
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling request with Handler ''
>>> Wed Oct 15 21:09:35 2003: DEBUG:  Deleting session for terry,  
>>> 10.0.0.20,
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthSQL
>>> Wed Oct 15 21:09:35 2003: DEBUG: Handling with Radius::AuthFILE:  
>>> FILE_AUTH
>>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE looks for match  
>>> with terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: Radius::AuthFILE ACCEPT:
>>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: EAP result: 0, EAP TTLS inner  
>>> authentication redespatched to a Handler
>>> Wed Oct 15 21:09:35 2003: DEBUG: Access accepted for terry
>>> Wed Oct 15 21:09:35 2003: DEBUG: Packet dump:
>>> *** Sending to 10.0.0.20 port 1258 ....
>>> Code:       Access-Accept
>>> Identifier: 122
>>> Authentic:   
>>> <237>w<243><11>F<152>a<20><195><6><208><155><244><162>K<168>
>>> Attributes:
>>>         Class = "Calling-Station-Id = "
>>>         Class = "Calling-Station-Id = 00-30-65-1D-9E-A6"
>>>         MS-MPPE-Send-Key =  
>>> "<147><171><198>U<139>4<30><251><127><154><194>F><182><137><0><193><1 
>>> 77><152>g<8><8><182><148>y<130><203>fp<30>z<191><249>K<129><247>B<132 
>>> ><185>d<167><203><251><28><188><197><189><244>Eo"
>>>         MS-MPPE-Recv-Key =  
>>> "<181>R<190>Z{<246><210>9<136>2ij<204>1<240><207><169><200>lo<226><31 
>>> ><255><139>T<9><132>'.<174><152>e"<151><153><177><221><190><184>ZCw<2 
>>> 27><206><160> J<252><199><130>"
>>>         EAP-Message = <3><6><0><4>
>>>         Message-Authenticator =  
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>>> *** Received from 10.0.0.20 port 1259 ....
>>> Code:       Accounting-Request
>>> Identifier: 123
>>> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>>> Attributes:
>>>         Acct-Status-Type = Start
>>>         User-Name = "terry"
>>>         Acct-Session-Id = "000080480043"
>>>         NAS-IP-Address = 10.0.0.20
>>>         NAS-Port = 0
>>>         Acct-Authentic = RADIUS
>>>         NAS-Identifier = "WardriveMe"
>>>         Acct-Delay-Time = 0
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling request with Handler ''
>>> Wed Oct 15 21:09:36 2003: DEBUG:  Adding session for terry,  
>>> 10.0.0.20, 0
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthSQL
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling accounting with  
>>> Radius::AuthSQL
>>> Wed Oct 15 21:09:36 2003: DEBUG: do query is: 'insert into  
>>> dot1xAccountingDB (Class) values('')':
>>>
>>> Wed Oct 15 21:09:36 2003: DEBUG: Handling with Radius::AuthFILE:  
>>> FILE_AUTH
>>> Wed Oct 15 21:09:36 2003: DEBUG: Accounting accepted
>>> Wed Oct 15 21:09:36 2003: DEBUG: Packet dump:
>>> *** Sending to 10.0.0.20 port 1259 ....
>>> Code:       Accounting-Response
>>> Identifier: 123
>>> Authentic:  <234><221><248>Lp<152><2><174><7><165>u<20>F<143>`r
>>> Attributes:
>>>
>>>
>>> If you look closely, you'll notice that the "Class" variable is  
>>> printed twice.  Once with a value, once without... this alone seems  
>>> somewhat odd.  Why is it getting displayed twice?
>>>
>>> Also, this information still isn't available to me for accounting,  
>>> which is also apparent above.  My attempt to account for '%{Class}'  
>>> is turning up a NULL value.
>>>
>>> Am I doing something wrong, or is this just being goofy?
>>>
>>> It seems to be almost what I want, but not quite.
>>>
>>> Here is my test configuration:
>>>
>>> Foreground
>>> LogStdout
>>>
>>> LogDir          /usr/local/var/log/radius.log
>>> LogFile         %L/logfile
>>> DbDir           /usr/local/etc
>>> Trace           4
>>>
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client DEFAULT>
>>>         NoIgnoreDuplicates Access-Challenge
>>>         NoIgnoreDuplicates Access-Request
>>>         DupInterval 0
>>>         AddToRequest %{Class}
>>> </Client>
>>>
>>> <AuthBy SQL>
>>>         Identifier      ACCT_ONLY
>>>
>>>         DBSource         
>>> dbi:CSV:f_dir=/usr/local/var/log/radius.log/accounting/
>>>         DBUsername      NOT_NEEDED
>>>         DBAuth          NOT_NEEDED
>>>
>>>         AcctSQLStatement insert into dot1xAccountingDB \
>>>         (\
>>>         Class\
>>>         ) \
>>>         values\
>>>         (\
>>>         '%{Class}'\
>>>         )
>>>
>>>        AuthSelect
>>> </AuthBy>
>>>
>>> <AuthBy FILE>
>>>        Identifier FILE_AUTH
>>>        Filename                        /usr/local/etc/users
>>>        EAPType                         TTLS TLS MD5-Challenge  
>>> MSCHAP-V2
>>>        EAPTLS_MaxFragmentSize          1024
>>>        EAPTLS_CAFile                   /etc/radiator/CA.pem
>>>        EAPTLS_CertificateType          PEM
>>>        EAPTLS_CertificateFile          /etc/radiator/Server.pem
>>>        EAPTLS_PrivateKeyFile           /etc/radiator/Server.pem
>>>        EAPTLS_PrivateKeyPassword       NOTMYPASSWORD
>>>
>>>        EAPTLS_SessionResumption 0
>>>        AutoMPPEKeys
>>>        AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}
>>> </AuthBy>
>>>
>>> <Handler TunneledByTTLS=1>
>>>     AuthBy         FILE_AUTH
>>> </Handler>
>>>
>>> <Handler>
>>>     AuthByPolicy    ContinueAlways
>>>
>>>     AuthBy         ACCT_ONLY
>>>
>>>     AuthBy         FILE_AUTH
>>> </Handler>
>>>
>>>
>>> On Oct 15, 2003, at 4:48 PM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Terry -
>>>>
>>>> There are some useful tricks that you can employ in this situation.
>>>>
>>>> # define Client clause
>>>>
>>>> <Client ....>
>>>> 	Secret .....
>>>> 	AddToRequest %{Class}
>>>> 	.....
>>>> </Client>
>>>>
>>>> # define AuthBy clause
>>>>
>>>> <AuthBy ...>
>>>> 	Identifier MyAuthBy
>>>> 	.....
>>>> 	AddToReply Class = Calling-Station-Id = %{Calling-Station-Id}, \
>>>> 					Called-Station-Id = %{Called-Station-Id}
>>>> </AuthBy>
>>>>
>>>> # define Realm of Handler
>>>>
>>>> <Handler ...>
>>>> 	AuthBy MyAuthBy
>>>> 	.....
>>>> </Handler>
>>>>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list