Hello, I need to do an integration with Fortigate appliance. Basically, I need to send a copy of Account-Request Class attribute +UserName to Fortigate (so I can enable a Fortigate feature for that customer authenticating). So, I'm trying to use the detail file (I did the most basic setup I think, with minimum changes on proxy.conf and copy-acct-to-home-server file). It worked fine, except it seems that is sending auth+acct packets instead of acct packets only.
From what I understood, the realm NULL:
realm NULL { accthost = 192.168.250.2:1813 secret = ########## } Would do it fine for my case (considering the usernames exchanged), but I'm not sure how can limit only acct packets for it, or if I need to do this on a different way. Thanks for the great software.
Tiago wrote:
Basically, I need to send a copy of Account-Request Class attribute +UserName to Fortigate (so I can enable a Fortigate feature for that customer authenticating).
OK.
So, I'm trying to use the detail file (I did the most basic setup I think, with minimum changes on proxy.conf and copy-acct-to-home-server file). It worked fine, except it seems that is sending auth+acct packets instead of acct packets only.
The default configuration doesn't do that. The "copy-acct-to-home-server" file doesn't do that, either. You edited the configuration, and made it write authentication packets to the accounting detail file. Don't do that.
From what I understood, the realm NULL:
realm NULL {
accthost = 192.168.250.2:1813 <http://192.168.250.2:1813>
secret = ##########
}
Would do it fine for my case (considering the usernames exchanged),
I don't know what that means. But it has nothing to do with the problem noted above.
but I'm not sure how can limit only acct packets for it, or if I need to do this on a different way.
Configure it to write only accounting packets to the detail file. Alan DeKok.
Hello Alan, I'm not sure if I should paste here or using a paste.bin site. Here are my config files: My "copy-acct-to-home-server" file is: server copy-acct-to-home-server { listen { type = detail filename = ${radacctdir}/detail load_factor = 10 } preacct { preprocess suffix files } accounting { ok } pre-proxy { } post-proxy { } } And my proxy.conf proxy server { default_fallback = no } home_server localhost { type = auth+acct ipaddr = 127.0.0.1 port = 1813 secret = ######## require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = none check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL {} realm NULL { accthost = 192.168.250.2:1813 secret = ######### } When you said to "Configure it to write only accounting packets to the detail file." Where should I do that? I couldn't understand how it works, so I'm lost to configure it.
Tiago wrote:
Hello Alan, I'm not sure if I should paste here or using a paste.bin site.
Here are my config files:
I don't need to see that.
My "copy-acct-to-home-server" file is:
Massively edited.
When you said to "Configure it to write only accounting packets to the detail file." Where should I do that? I couldn't understand how it works, so I'm lost to configure it.
If you don't understand how it works, don't do massive edits on the configuration files. Start with the default configuration. IT WORKS. Change one thing, and test it. If it works, save a copy of the configuration, and change something else. If it doesn't work, debug the problem before editing anything else. This shouldn't be difficult. You have a detail file which has Access-Request packets in it. This is wrong. YOU CHANGED IT. So... you should know what you changed. If you don't know what you changed, you will never be able to debug anything. But it should be simple... you have the debug output. READ IT. See which module it's running when it writes Access-Request packets to the detail file. Then, edit the configuration so that it doesn't write Access-Request packets to the detail file. Alan DeKok.
Alan, I did following your suggestion before I sent the mail to the list, but those are the exact files which came on ubuntu 12.04 freeradius package. The difference was: type = auth+acct at home_server localhost definition that came with type=auth only. And the realm NULL which I uncommented and changed. I tried to use type=acct but resulted in error, so it's not massively edited by me. Sorry for the confusion. Maybe I should read the files which come with the "source" tarball, is this the best way to do that? 2014-09-17 18:54 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
Tiago wrote:
Hello Alan, I'm not sure if I should paste here or using a paste.bin site.
Here are my config files:
I don't need to see that.
My "copy-acct-to-home-server" file is:
Massively edited.
When you said to "Configure it to write only accounting packets to the detail file." Where should I do that? I couldn't understand how it works, so I'm lost to configure it.
If you don't understand how it works, don't do massive edits on the configuration files.
Start with the default configuration. IT WORKS.
Change one thing, and test it. If it works, save a copy of the configuration, and change something else.
If it doesn't work, debug the problem before editing anything else.
This shouldn't be difficult. You have a detail file which has Access-Request packets in it. This is wrong. YOU CHANGED IT. So... you should know what you changed.
If you don't know what you changed, you will never be able to debug anything.
But it should be simple... you have the debug output. READ IT.
See which module it's running when it writes Access-Request packets to the detail file. Then, edit the configuration so that it doesn't write Access-Request packets to the detail file.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tiago wrote:
Alan, I did following your suggestion before I sent the mail to the list, but those are the exact files which came on ubuntu 12.04 freeradius package.
Then they should work, with minimal editing.
Sorry for the confusion. Maybe I should read the files which come with the "source" tarball, is this the best way to do that?
It should be the same. Alan DeKok.
Alan, I can see from debug that freeradius is proxying only acct-requests to fortigate as it should: Sending Accounting-Request of id 237 to 192.x port 1813 Acct-Session-Id = "5419E16643C100" User-Name = "calena" Acct-Status-Type = Stop Service-Type = Framed-User Framed-Protocol = PPP Acct-Authentic = RADIUS Acct-Session-Time = 19018 Acct-Output-Octets = 1259331153 Acct-Input-Octets = 37100064 Acct-Output-Packets = 970288 Acct-Input-Packets = 366792 Calling-Station-Id = "9C:D6:43:D5:37:75" NAS-Port-Type = Async Acct-Terminate-Cause = User-Request Framed-IP-Address = x.x.x.x NAS-IP-Address = y.y.y.y NAS-Port = 481 Acct-Delay-Time = 0 Proxy-State = 0x323436 Proxying request 125 to home server 192.x port 1813 Sending Accounting-Request of id 237 to 192.x port 1813 Is there a way to proxy those packets *only* if contains the Class attribute or Acct-Status-Type = Stop? How can I "filter" that?
Yes. Use unlang (ie wrap the calls to the detail file inside an 'if' section ) alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Tiago