Matthew Schumacher wrote:
Lewis Bergman wrote:
Matthew Schumacher wrote:
I'm getting accounting messages like these that seem to be coming from the loopback interface, but `tcpdump -i lo` doesn't see them so they are not coming from a local client. If they are not coming from a local client then how can I figure out where they are coming from?
Thu Jan 12 07:19:58 2006 Acct-Status-Type = Stop NAS-IP-Address = x.x.x.x (legit nas IP) Acct-Delay-Time = 0 User-Name = "user" NAS-Port = 536936515 Acct-Session-Id = "0A000067" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x (legit Framed-IP-Address) Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = "1cc41474b27ed376" Timestamp = 1137082798
These appear to be from the loopback of the NAS, not the radius server.
Thanks for your reply, however it doesn't make sense to me. How can the Client-IP-Address be 127.0.0.1 if the radius server records the source address of the packet in the Client-IP-Address attribute? If the packet came from the loopback of the nas then I would expect the NAS-IP-Address to be 127.0.0.1 but the Client-IP-Address to be where the packet was sourced from. I assumed when you marked the NAS ip as legit, that the actual value in that field is a legit IP that you have listed in your clients.conf file. If that is the case, then that is where the packet originated from. My NAS's report the client IP as the NAS address if I log in from the network. Login-IP-Host = <ip of router> Client-IP-Address = <IP of NAS IP>
I think I remember if I logged in from the console port that it reports the Client address as the loopback. -- Lewis Bergman Texas Communications 4309 Maple St. Abilene, TX 79602-8044 Off. 325-691-1301 Cell 325-439-0533 fax 325-695-6841