(RADIATOR) Radius accounting
Hugh Irvine
hugh at open.com.au
Wed Aug 18 04:52:55 CDT 2004
Hello Antonio -
You should do something like this:
<Handler TunnelledByTTLS=1, Client-Identifier=LocalAPs>
RewriteUsername s/^([^@]+).*/$1/
UsernameCharset a-zA-Z0-9\._\@-
SessionDatabase session_MYSQL
AuthByPolicy ContinueWhileAccept
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy authby_MYSQL_eu
AuthBy authby_FILE_eu
AuthBy authby_FILE_locals
</AuthBy>
AuthBy getIPbyDHCP
AuthLog log_LocalUsers
</Handler>
regards
Hugh
On 17 Aug 2004, at 19:56, António Fernandes wrote:
> Hi Hugh,
> Olá Nuno,
>
> I'm currently working with the same environment and the accounting
> packets
> come through with octects in and out.
>
> As for DHCP server, I've come up with the following conf that I would
> like
> to validate with you. The purpose is for the Radiator get the IP from
> the
> DHCP (avoiding IP conflicts on a shared wired network) and then
> deliver it
> to the client...
> Is there anything I should take into account? Another thing: if is set
> "AuthByPolicy ContinueUntilAccept" does the last AuthBy getIPbyDHCP
> runs?
> Should I place "AuthByPolicy ContinueWhileAccept"? How would the
> following
> AuthBy behave in that scenario?
>
> <AddressAllocator DHCP>
> Identifier DHCPallocator
> # This is the target DHCP server
> Host 192.168.100.1
> DefaultLease 3600
> # This is the attribute to use for the DHCP server
> Client-Identifier
> field
> # Defaults to %{User-Name}
> #DHCPClientIdentifier %{User-Name}
> # ver
> http://www.mail-archive.com/dhcp-server@fugue.com/msg00303.html
> ServerPort 67
> ClientPort 68
> #SubnetSelectionOption 118
> SubnetSelectionOption 211
> </AddressAllocator>
> <AuthBy DYNADDRESS>
> Identifier getIPbyDHCP
> AddressAllocator DHCPallocator
> # The users file must have a field
> # PoolHint = 192.168.101.1
> PoolHint %{Reply:PoolHint}
> MapAttribute yiaddr, Framed-IP-Address
> MapAttribute subnetmask, Framed-IP-Netmask
> StripFromReply PoolHint
> </AuthBy>
>
> ...
>
> <Handler TunnelledByTTLS=1, Client-Identifier=LocalAPs>
> RewriteUsername s/^([^@]+).*/$1/
> UsernameCharset a-zA-Z0-9\._\@-
> SessionDatabase session_MYSQL
> AuthByPolicy ContinueUntilAccept
> AuthBy authby_MYSQL_eu
> AuthBy authby_FILE_eu
> AuthBy authby_FILE_locals
> AuthBy getIPbyDHCP
> AuthLog log_LocalUsers
> </Handler>
>
>
>
> Bye,
>
> António Fernandes
> Porto Management School
> University of Porto
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> Behalf Of Hugh Irvine
> Sent: quinta-feira, 12 de Agosto de 2004 6:14
> To: Nuno Rodrigues
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) Radius accounting
>
>
> Hello Nuno -
>
> If you are not receiving the accounting data from the access points it
> is a
> problem on the access point and you should check with Cisco for a fix.
>
> The debug log shows that you are receiving the accounting requests, so
> I
> don't think your theory is correct.
>
> regards
>
> Hugh
>
>
> On 11 Aug 2004, at 23:08, Nuno Rodrigues wrote:
>
>>
>> Hello,
>>
>> I have lots of Cisco AP1121G, that authenticating users on a radius
>> server (Radiator).
>> I need to make accounting of octets in and out per user, but i have
>> some problems with this.
>> In general, the accounting is working fine, but the APs dont send
>> some attributes that i need (Acct-Input-Octets, Acct-Output-Octets),
>> included in Accounting-Request (stop) Packets
>> (http://www.cisco.com/en/US/products/hw/wireless/ps4570/
>> products_configuration_guide_chapter09186a00802091b1.html).
>>
>> Someone can help me to find the problem?
>> I have a theory, but i don't know if is right: This attributes can't
>> be sent because the IP Address is assigned to clients by a third DHCP
>> Server (router cisco) and not by the Radius server. Could be by this?
>> How can i solve the problem?
>>
>> The Radius part of configuration of my APs:
>> ...
>> aaa new-model
>> !
>> !
>> aaa authentication login default local aaa authentication login
>> eap_methods group radius aaa authentication login mac_methods local
>> aaa authorization exec default local aaa authorization network
>> default group radius aaa accounting send stop-record authentication
>> failure aaa accounting update periodic 5 aaa accounting auth-proxy
>> default start-stop group radius aaa accounting exec default
>> start-stop group radius aaa accounting network default start-stop
>> group radius aaa accounting connection default start-stop group
>> radius aaa accounting system default start-stop group radius aaa
>> accounting resource default start-stop group radius aaa nas port
>> extended aaa session-id unique ...
>> ssid MySSID
>> vlan 150
>> authentication open eap eap_methods
>> accounting default
>> ...
>> ip radius source-interface BVI1
>> ...
>> radius-server host 172.1.0.1 auth-port 1812 acct-port 1813 key 7
>> xxxxxxxxxxxxxxxxxxxxx radius-server authorization permit missing
>> Service-Type radius-server vsa send accounting radius-server vsa
>> send authentication ...
>>
>> Extract of Radius Log:
>> ...
>> Sat Jul 31 19:05:58 2004
>> Acct-Session-Id = "000040F6"
>> Called-Station-Id = "000f.247a.c0c0"
>> Calling-Station-Id = "000d.88f4.0408"
>> cisco-avpair = "ssid=MySSID"
>> cisco-avpair = "nas-location=unspecified"
>> cisco-avpair = "connect-progress=Call Up"
>> Acct-Session-Time = 278
>> Acct-Authentic = RADIUS
>> User-Name = "nuno at ipb.pt"
>> Acct-Status-Type = Alive
>> NAS-Port-Type = Wireless-IEEE-802-11
>> Cisco-NAS-Port = "1315"
>> NAS-Port = 1315
>> Service-Type = Framed
>> NAS-IP-Address = 172.9.13.12
>> Acct-Delay-Time = 0
>> ssid = MySSID
>> nas-location = unspecified
>> connect-progress = Call Up
>> Timestamp = 1091297158
>> ...
>>
>> Thanks in advance!
>> Nuno.
>>
>> --
>> .................................................................
>> Nuno Rodrigues : nuno at ipb.pt : http://www.ipb.pt/~nuno Eq.
>> Assistente 2o Triénio : Dep. Informática e Comunicações :
>> ESTiG/IPB
>> Coordenador do Centro de Comunicações do IPB
>> .................................................................
>>
>> -- Archive at http://www.open.com.au/archives/radiator/ Announcements
>> on radiator-announce at open.com.au To unsubscribe, email
>> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
>> message.
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To unsubscribe, email
> 'majordomo at open.com.au' with 'unsubscribe radiator' in the body of the
> message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list