Hi All, I'm putting this down to just being an anomaly but wondered if anyone had any insight. There's an entry in the radacct table of my SQL database with the MAC address of one of my users. I was under the impression that only successful authentication attempts were recorded in here but there is no record that matches that username in the database to allow it to be successful. I can see it in the radacct file of the NAS in the var/logs/ file of the server but can't see if it was successful or not exactly. Weirder still, I cannot see this authentication attempt in the radpostauth table. The MAC address is the same as the MAC of the device that sent the request so I wondered if there had been any record of this sort of thing happening previously. And if so what could cause it? Kind regards, Connor
On Sep 17, 2024, at 12:20 PM, Connor Herring <connorrjherring@gmail.com> wrote:
There's an entry in the radacct table of my SQL database with the MAC address of one of my users. I was under the impression that only successful authentication attempts were recorded in here but there is no record that matches that username in the database to allow it to be successful. I can see it in the radacct file of the NAS in the var/logs/ file of the server but can't see if it was successful or not exactly.
Weirder still, I cannot see this authentication attempt in the radpostauth table.
While accounting is usually tied to authentication, there is no guarantee that's true. The NAS is free to invent random accounting packets and send them to the server.
The MAC address is the same as the MAC of the device that sent the request so I wondered if there had been any record of this sort of thing happening previously. And if so what could cause it?
The NAS did something weird. Why? I dunno... NASes do "inventive" things. Alan DeKok.
Hi Alan, Thanks for the response, any idea why it wouldn’t appear in radpostauth or the freeradius logs stating whether the connection was accepted or rejected? Definitely shouldn’t have been accepted. Kind regards, Connor On Tue, 17 Sep 2024 at 19:12, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 17, 2024, at 12:20 PM, Connor Herring <connorrjherring@gmail.com> wrote:
There's an entry in the radacct table of my SQL database with the MAC address of one of my users. I was under the impression that only successful authentication attempts were recorded in here but there is no record that matches that username in the database to allow it to be successful. I can see it in the radacct file of the NAS in the var/logs/ file of the server but can't see if it was successful or not exactly.
Weirder still, I cannot see this authentication attempt in the radpostauth table.
While accounting is usually tied to authentication, there is no guarantee that's true. The NAS is free to invent random accounting packets and send them to the server.
The MAC address is the same as the MAC of the device that sent the request so I wondered if there had been any record of this sort of thing happening previously. And if so what could cause it?
The NAS did something weird. Why? I dunno... NASes do "inventive" things.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 17, 2024, at 2:22 PM, Connor Herring <connorrjherring@gmail.com> wrote:
Thanks for the response, any idea why it wouldn’t appear in radpostauth or the freeradius logs stating whether the connection was accepted or rejected? Definitely shouldn’t have been accepted.
As I said: While accounting is usually tied to authentication, there is no guarantee that's true. The NAS is free to invent random accounting packets and send them to the server. There does NOT need to be an Access-Request / Access-Accept sequence before the NAS sends accounting packets. The NAS might just send random accounting packets. Alan DeKok.
Hi Alan, Misread your last email, I will put it down to being random accounting and that would make sense as to why it’s not in the postauth table! Thanks very much. Kind regards, Connor On Tue, 17 Sep 2024 at 19:39, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 17, 2024, at 2:22 PM, Connor Herring <connorrjherring@gmail.com> wrote:
Thanks for the response, any idea why it wouldn’t appear in radpostauth or the freeradius logs stating whether the connection was accepted or rejected? Definitely shouldn’t have been accepted.
As I said:
While accounting is usually tied to authentication, there is no guarantee that's true. The NAS is free to invent random accounting packets and send them to the server.
There does NOT need to be an Access-Request / Access-Accept sequence before the NAS sends accounting packets. The NAS might just send random accounting packets.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Connor Herring