Where are these "Client-IP-Address = 127.0.0.1" messages coming from?

Matthew Schumacher matt.s at aptalaska.net
Thu Jan 12 21:37:24 CET 2006 

Lewis Bergman wrote:
> Matthew Schumacher wrote:
> 
>> Lewis Bergman wrote:
>>
>>> Matthew Schumacher wrote:
>>>
>>>
>>>> I'm getting accounting messages like these that seem to be coming from
>>>> the loopback interface, but `tcpdump -i lo` doesn't see them so they
>>>> are
>>>> not coming from a local client.  If they are not coming from a local
>>>> client then how can I figure out where they are coming from?
>>>>
>>>> Thu Jan 12 07:19:58 2006
>>>>        Acct-Status-Type = Stop
>>>>        NAS-IP-Address = x.x.x.x      (legit nas IP)
>>>>        Acct-Delay-Time = 0
>>>>        User-Name = "user"
>>>>        NAS-Port = 536936515
>>>>        Acct-Session-Id = "0A000067"
>>>>        Service-Type = Framed-User
>>>>        Framed-Protocol = PPP
>>>>        Framed-IP-Address = x.x.x.x    (legit Framed-IP-Address)
>>>>        Acct-Session-Time = 0
>>>>        Acct-Input-Octets = 0
>>>>        Acct-Output-Octets = 0
>>>>        Acct-Input-Packets = 0
>>>>        Acct-Output-Packets = 0
>>>>        Client-IP-Address = 127.0.0.1
>>>>        Acct-Unique-Session-Id = "1cc41474b27ed376"
>>>>        Timestamp = 1137082798
>>>
>>>
> 
> I assumed when you marked the NAS ip as legit, that the actual value in
> that field is a legit IP that you have listed in your clients.conf file.
> If that is the case, then that is where the packet originated from. My
> NAS's report the client IP as the NAS address if I log in from the network.
> Login-IP-Host = <ip of router>
> Client-IP-Address = <IP of NAS IP>
> 
> I think I remember if I logged in from the console port that it reports
> the Client address as the loopback.

According to the freeradius documentation and the code the
Client-IP-Address attribute always records the source address of the
packet, and the NAS-IP-Address is provided by the NAS, and if it isn't
freeradius puts in the source address.

This means that the log above states that a packet with the
NAS-IP-Address of a legit nas was sourced from 127.0.0.1 which is not
possible since I don't have a client running on the local machine which
is confirmed by the lack of packets shown in tcpdump.

At this point I am starting to think there is a bug in freeradius where
the Client-IP-Address gets recorded incorrectly.

If you login to the serial port of your nas then you could see the
NAS-IP-Address as 127.0.0.1 but you should never see a Client-IP-Address
of 127.0.0.1 unless the client sourced it's packet from the radius
servers loopback interface.

schu

More information about the Freeradius-Users mailing list