freeRADIUS not sending accounting responses

Adrian Cowham adrian.cowham at gmail.com
Wed Sep 3 19:03:39 CEST 2008 

Hello All,

I stumbled onto some unexpected behavior with freeRADIUS and I'm curious if
it's a mis-configuration or a defect. The first thing I did was comment out
all places where radutmp and sradutmp were being used. I don't use those
files so I figured I'd free up some resources by commenting them out. Upon
doing so, I noticed that freeRADIUS no longer sent accounting-response
packets to my NAS, everything else worked fine. However, when I ran radiusd
-X from the command line it sent accounting-responses, everything ran
perfectly. When I went back to running radiusd as a service, it no longer
sent accounting-responses.

To address the issue, I commented out the "unix" line in the accounting
module in radiusd.conf. My assumption is that since I commented out the
"radwtmp" line in the "unix" section but not the "unix" line in the
"accounting" section, radiusd is choking on processing accounting packets
because it can't find the radwtmp file. Mis-configuration on my part?

Below you'll find my freeRADIUS version, snippet from my radiusd.conf
causing the unexpected behavior containing the "unix" and "accounting"
sections, and lastly a snippet from the fixed version of radiusd.conf where
the "unix" line is commented out.

Any insight would be greatly appreciated. Thanks for you time.

FreeRADIUS Version
ProCurve NAC 800(ac-nac):~ # radiusd -version
radiusd: FreeRADIUS Version 1.1.6, for host i686-redhat-linux-gnu, built on
Jun  3 2008 at 10:26:23
Copyright (C) 2000-2007 The FreeRADIUS server project.

Snippet of problem radiusd.conf
Accounting and unix sections of my /etc/raddb/radiusd.conf

        unix {
                #
                #  Cache /etc/passwd, /etc/shadow, and /etc/group
                #
                #  The default is to NOT cache them.
                #
                #  For FreeBSD and NetBSD, you do NOT want to enable
                #  the cache, as it's password lookups are done via a
                #  database, so set this value to 'no'.
                #
                #  Some systems (e.g. RedHat Linux with pam_pwbd) can
                #  take *seconds* to check a password, when th passwd
                #  file containing 1000's of entries.  For those systems,
                #  you should set the cache value to 'yes', and set
                #  the locations of the 'passwd', 'shadow', and 'group'
                #  files, below.
                #
                # allowed values: {no, yes}
                cache = no

                # Reload the cache every 600 seconds (10mins). 0 to disable.
                cache_reload = 600

                #
                #  Define the locations of the normal passwd, shadow, and
                #  group files.
                #
                #  'shadow' is commented out by default, because not all
                #  systems have shadow passwords.
                #
                #  To force the module to use the system password functions,
                #  instead of reading the files, leave the following entries
                #  commented out.
                #
                #  This is required for some systems, like FreeBSD,
                #  and Mac OSX.
                #
                passwd = /etc/passwd
                shadow = /etc/shadow
                group = /etc/group

                #
                #  The location of the "wtmp" file.
                #  This should be moved to it's own module soon.
                #
                #  The only use for 'radlast'.  If you don't use
                #  'radlast', then you can comment out this item.
                #
                #radwtmp = ${logdir}/radwtmp
        }

accounting {
        #
        #  Create a 'detail'ed log of the packets.
        #  Note that accounting requests which are proxied
        #  are also logged in the detail file.
        $INCLUDE ${confdir}/hpidm.accounting.conf
        detail
        #daily

        #  Update the wtmp file
        #
        #  If you don't use "radlast", you can delete this line.
        unix

        #
        #  For Simultaneous-Use tracking.
        #
        #  Due to packet losses in the network, the data here
        #  may be incorrect.  There is little we can do about it.
        #radutmp
        #sradutmp

        #  Return an address to the IP Pool when we see a stop record.
        #       main_pool

        #
        #  Log traffic to an SQL database.
        #
        #  See "Accounting queries" in sql.conf
        #       sql


        #  Cisco VoIP specific bulk accounting
        #       pgsql-voip
}


Snippet from working radiusd.conf
accounting {
        #
        #  Create a 'detail'ed log of the packets.
        #  Note that accounting requests which are proxied
        #  are also logged in the detail file.
        $INCLUDE ${confdir}/hpidm.accounting.conf
        detail
        #daily

        #  Update the wtmp file
        #
        #  If you don't use "radlast", you can delete this line.
        #unix  COMMENTED OUT

        #
        #  For Simultaneous-Use tracking.
        #
        #  Due to packet losses in the network, the data here
        #  may be incorrect.  There is little we can do about it.
        #radutmp
        #sradutmp

        #  Return an address to the IP Pool when we see a stop record.
        #       main_pool

        #
        #  Log traffic to an SQL database.
        #
        #  See "Accounting queries" in sql.conf
        #       sql


        #  Cisco VoIP specific bulk accounting
        #       pgsql-voip
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080903/cae637c9/attachment.html>

More information about the Freeradius-Users mailing list