(RADIATOR) Radius accounting

António Fernandes afernandes at egp.up.pt
Tue Aug 17 04:56:54 CDT 2004 

Hi Hugh,
Olá Nuno,

I'm currently working with the same environment and the accounting packets
come through with octects in and out.

As for DHCP server, I've come up with the following conf that I would like
to validate with you. The purpose is for the Radiator get the IP from the
DHCP (avoiding IP conflicts on a shared wired network) and then deliver it
to the client...
Is there anything I should take into account? Another thing: if is set
"AuthByPolicy ContinueUntilAccept" does the last AuthBy getIPbyDHCP runs?
Should I place "AuthByPolicy ContinueWhileAccept"? How would the following
AuthBy behave in that scenario?

<AddressAllocator DHCP>
        Identifier DHCPallocator
        # This is the target DHCP server
        Host 192.168.100.1
        DefaultLease 3600
        # This is the attribute to use for the DHCP server Client-Identifier
field
        # Defaults to %{User-Name}
        #DHCPClientIdentifier %{User-Name}
        # ver
http://www.mail-archive.com/dhcp-server@fugue.com/msg00303.html
        ServerPort 67
        ClientPort 68
        #SubnetSelectionOption 118
        SubnetSelectionOption 211
</AddressAllocator>
<AuthBy DYNADDRESS>
        Identifier getIPbyDHCP
        AddressAllocator DHCPallocator
# The users file must have a field
# PoolHint = 192.168.101.1
        PoolHint %{Reply:PoolHint}
        MapAttribute yiaddr, Framed-IP-Address
        MapAttribute subnetmask, Framed-IP-Netmask
        StripFromReply PoolHint
</AuthBy>

...

<Handler TunnelledByTTLS=1, Client-Identifier=LocalAPs>
        RewriteUsername s/^([^@]+).*/$1/
        UsernameCharset a-zA-Z0-9\._\@-
        SessionDatabase session_MYSQL
        AuthByPolicy ContinueUntilAccept
        AuthBy authby_MYSQL_eu
        AuthBy authby_FILE_eu
        AuthBy authby_FILE_locals
        AuthBy getIPbyDHCP
        AuthLog log_LocalUsers
</Handler>



Bye,

António Fernandes
Porto Management School
University of Porto


-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: quinta-feira, 12 de Agosto de 2004 6:14
To: Nuno Rodrigues
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Radius accounting


Hello Nuno -

If you are not receiving the accounting data from the access points it is a
problem on the access point and you should check with Cisco for a fix.

The debug log shows that you are receiving the accounting requests, so I
don't think your theory is correct.

regards

Hugh


On 11 Aug 2004, at 23:08, Nuno Rodrigues wrote:

>
> Hello,
>
>  I have lots of Cisco AP1121G, that authenticating users on a radius 
> server (Radiator).
>  I need to make accounting of octets in and out per user, but i have 
> some problems with this.
>  In general, the accounting is working fine, but the APs dont send 
> some attributes that i need (Acct-Input-Octets, Acct-Output-Octets), 
> included in Accounting-Request (stop) Packets 
> (http://www.cisco.com/en/US/products/hw/wireless/ps4570/
> products_configuration_guide_chapter09186a00802091b1.html).
>
>  Someone can help me to find the problem?
>  I have a theory, but i don't know if is right: This attributes can't 
> be sent because the IP Address is assigned to clients by a third DHCP 
> Server (router cisco) and not by the Radius server. Could be by this?
>  How can i solve the problem?
>
>  The Radius part of configuration of my APs:
>  ...
>  aaa new-model
>  !
>  !
>  aaa authentication login default local  aaa authentication login 
> eap_methods group radius  aaa authentication login mac_methods local  
> aaa authorization exec default local  aaa authorization network 
> default group radius  aaa accounting send stop-record authentication 
> failure  aaa accounting update periodic 5  aaa accounting auth-proxy 
> default start-stop group radius  aaa accounting exec default 
> start-stop group radius  aaa accounting network default start-stop 
> group radius  aaa accounting connection default start-stop group 
> radius  aaa accounting system default start-stop group radius  aaa 
> accounting resource default start-stop group radius  aaa nas port 
> extended  aaa session-id unique  ...
>  ssid MySSID
>  vlan 150
>  authentication open eap eap_methods
>  accounting default
>  ...
>  ip radius source-interface BVI1
>  ...
>  radius-server host 172.1.0.1 auth-port 1812 acct-port 1813 key 7 
> xxxxxxxxxxxxxxxxxxxxx  radius-server authorization permit missing 
> Service-Type  radius-server vsa send accounting  radius-server vsa 
> send authentication  ...
>
>  Extract of Radius Log:
>  ...
>  Sat Jul 31 19:05:58 2004
>          Acct-Session-Id = "000040F6"
>          Called-Station-Id = "000f.247a.c0c0"
>          Calling-Station-Id = "000d.88f4.0408"
>          cisco-avpair = "ssid=MySSID"
>          cisco-avpair = "nas-location=unspecified"
>          cisco-avpair = "connect-progress=Call Up"
>          Acct-Session-Time = 278
>          Acct-Authentic = RADIUS
>          User-Name = "nuno at ipb.pt"
>          Acct-Status-Type = Alive
>          NAS-Port-Type = Wireless-IEEE-802-11
>          Cisco-NAS-Port = "1315"
>          NAS-Port = 1315
>          Service-Type = Framed
>          NAS-IP-Address = 172.9.13.12
>          Acct-Delay-Time = 0
>          ssid = MySSID
>          nas-location = unspecified
>          connect-progress = Call Up
>          Timestamp = 1091297158
>  ...
>
>  Thanks in advance!
>  Nuno.
>
> --
> .................................................................
>  Nuno Rodrigues : nuno at ipb.pt : http://www.ipb.pt/~nuno  Eq. 
> Assistente 2o Triénio : Dep. Informática e Comunicações :
> ESTiG/IPB
>  Coordenador do Centro de Comunicações do IPB 
> .................................................................
>
>  -- Archive at http://www.open.com.au/archives/radiator/ Announcements 
> on radiator-announce at open.com.au To unsubscribe, email 
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the 
> message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au To unsubscribe, email
'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list