Forward Accounting Packets to Fortiage - need help

Eby Mani eby_km at yahoo.com
Fri Apr 8 20:56:09 CEST 2016 

Thanks, i should have provided more details earlier.

freeRadius is configured with mysql and users are authenticated using EAP - PEAP without certificates. 
Once users are authenticated thru radius, ip address is released thru another dhcp server. 

Issue 1,
When Users are getting authenticated, freeradius isn't sending Class attribute of the usergroup/user in Access-Accept message. Only User-Name is sent to NAS. 

NAS is configured to forward RADIUS accounting packets to Fortigate, where fortigate gets only authenticated username and ip address from NAS. As freeRadius is not sending Class attributes in Access-Accept. NAS isn't sending any Class info to Fortigate. Without usergroup info in Class attribute, can't provide RSSO based access to various networks.

While troubleshooting NAS it was found freeradius is sending Class attribute information in Access-Challenge message !!.  . Further troubleshooting on radius server revealed the following;

1, radtest from the server return class attributes of user/usergroup.
2, when running server in debug mode and authenticating from NAS, it doesn't.

Is this the default behaviour ?. How do i tell freeradius to send Class attribute of usergroup in Access-Accept ?.

Issue 2,
freeradius is not sending accounting copies to Fortigate. Having Added "realm {}" in proxy.conf, added "detailfile = ${radacctdir}/detail" in detail file and included "update control {}" in preacct section of copy-acct-to-home-server file and linked the same to sites-enabled folder. I'm not sure if i have missed anything. 

One might ask why send accounting again, Fortigate can have only one RSSO Agent, thus sending accounting packets from multiple NAS is not possible. Also I'm planning to use some old gear that doesn't support sending accounting to another server. Sending accounting copies from freeradius will eliminate various admin overheads.

Attached config files.

Eby

--------------------------------------------
On Thu, 7/4/16, Alan DeKok <aland at deployingradius.com> wrote:

 Subject: Re: Forward Accounting Packets to Fortiage - need help
 To: "Eby Mani" <eby_km at yahoo.com>, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
 Date: Thursday, 7 April, 2016, 4:42 PM
 
 On Apr 7, 2016, at 11:37
 AM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org>
 wrote:
 > 
 > Thanks
 Alan, the NAS and Fortigate does RADIUS.
 > 
 > The easiest way for
 me is to configure NAS to forward RADIUS accounting packets
 to Fortigate. But my freeRadius is not sending Class
 attributes in Access-Accept to NAS client, thus NAS client
 isn't sending any Class info to Fortigate. 
 > 
 > However freeRadius
 is sending Class attributes in Access-Challenge to NAS
 !!!.
 > 
 > Is there a
 command to include Class attributes in Access-Accept ?.
 
   Configure the server to
 send it.
 
   As always, run
 the server in debug mode, and READ IT.
 
   Also, describe what you're doing.  In
 detail.  Your questions are nearly content free. 
 We're not mind readers.  We don't know what
 you've configured.
 
  
 You don't say if you're using EAP or another
 authentication method. Any answer to help you depends on
 knowing what you're actually doing.  Since we don't
 know what you're doing, we can't really help
 you.
 
  Alan DeKok.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: proxy.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: detail.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: copy-acct-to-home-server.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: default.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0005.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inner-tunnel.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160408/bb648bee/attachment-0006.txt>

More information about the Freeradius-Users mailing list