Hi All, I'm using freeradius 2.1.6 and want to move to decoupled accounting. I understand the example configs, but one question I still have is this: do I have to have preacct and accounting sections in my "virtual.blah.com" file (very similar to the default file) which is in the sites-enabled dir, even though I will have preacct and accounting sections in the decoupled-accounting file? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 13:16:02 up 5 days, 4:42, 5 users, load average: 1.43, 1.36, 1.26
No, the accounting will only work on the virtual serve who has a listen section that has acct activated. If you put a new virtual server without acct listen section will not work. 2009/7/29 Kanwar Ranbir Sandhu <m3freak@thesandhufamily.ca>:
Hi All,
I'm using freeradius 2.1.6 and want to move to decoupled accounting. I understand the example configs, but one question I still have is this: do I have to have preacct and accounting sections in my "virtual.blah.com" file (very similar to the default file) which is in the sites-enabled dir, even though I will have preacct and accounting sections in the decoupled-accounting file?
Regards,
Ranbir
-- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 13:16:02 up 5 days, 4:42, 5 users, load average: 1.43, 1.36, 1.26
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2009-07-29 at 21:21 +0200, Rokkhan wrote:
No, the accounting will only work on the virtual serve who has a listen section that has acct activated. If you put a new virtual server without acct listen section will not work.
My virtual server does have an acct listen section. I'm talking about the sections where you define the various other modules that preacct and accounting would use (e.g. sql, sqlippool, etc.). Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 18:01:57 up 5 days, 9:28, 4 users, load average: 1.16, 1.09, 0.63
On Wed, 2009-07-29 at 13:23 -0400, Kanwar Ranbir Sandhu wrote:
I'm using freeradius 2.1.6 and want to move to decoupled accounting. I understand the example configs, but one question I still have is this: do I have to have preacct and accounting sections in my "virtual.blah.com" file (very similar to the default file) which is in the sites-enabled dir, even though I will have preacct and accounting sections in the decoupled-accounting file?
Maybe I should post my configs. So, here's the existing virtual server I'm using (/etc/raddb/sites-enabled/virtual.blah.com): server blah { # # Listen / socket config # listen { ipaddr = 1.1.1.1 port = 0 interface = eth0 type = auth } listen { ipaddr = 1.1.1.2 port = 0 interface = eth0 type = acct } # # Clients # client agas1 { ipaddr = 2.2.2.1 secret = secret nastype = other require_message_authenticator = no } client agas2 { ipaddr = 2.2.2.2 secret = secret nastype = other require_message_authenticator = no } # # Authorization # authorize { preprocess update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } chap mschap suffix eap { ok = return } sql expiration logintime pap } # # Authentication. # authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique suffix } # # Accounting. Log the accounting data. # accounting { sqlippool sql attr_filter.accounting_response } session { sql } # # Post-Authentication # post-auth { sqlippool sql exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } And here's the decoupled-accounting file I want to use: server write_detail.blah.com { accounting { detail.blah.com } } server read_detail.detail.blah.com { listen { type = detail filename = "${radacctdir}/detail.blah.com/detail-*:*" load_factor = 10 } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique suffix } # # Accounting. Log the accounting data. # accounting { sqlippool sql attr_filter.accounting_response } } As you can see, decoupled-accounting has the same preacct and accounting sections that virtual.blah.com has. So, would I need them in both, or is it enough to just have preacct and accounting in the decoupled-accounting file? In my mind, it doesn't make sense to put the same config in two different virtual servers when one of them is calling the other directly anyway. I could be wrong...like many times before. :) Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 12:27:16 up 6 days, 3:54, 4 users, load average: 1.34, 1.30, 1.18
As you can see, decoupled-accounting has the same preacct and accounting sections that virtual.blah.com has. So, would I need them in both, or is it enough to just have preacct and accounting in the decoupled-accounting file?
Just in decoupled-accounting. But you need to divert accounting to write-detail virtual server in listen section. Ivan Kalik Kalik Informatika ISP
On Thu, 2009-07-30 at 19:24 +0100, Ivan Kalik wrote:
Just in decoupled-accounting. But you need to divert accounting to write-detail virtual server in listen section.
Yes, I've done that. I actually copied up my old virtual.blah.com config that didn't have the write-detail virtual server in the listen section. Thanks for answering. It was the the only question I had about decoupled accounting. The configs were otherwise quite helpful. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 14:39:15 up 6 days, 6:06, 4 users, load average: 1.59, 1.49, 1.35
On Thu, 2009-07-30 at 19:24 +0100, Ivan Kalik wrote:
Just in decoupled-accounting. But you need to divert accounting to write-detail virtual server in listen section.
I'm not sure I've configured the write_detail virtual server in the listen section properly. This is what I have at the moment: listen { ipaddr = 1.1.1.2 port = 0 interface = eth0 type = acct virtual_server = write_detail.blah.com } Would that work? If not, why? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 01:56:16 up 6 days, 17:23, 3 users, load average: 0.27, 0.41, 0.50
I'm not sure I've configured the write_detail virtual server in the listen section properly. This is what I have at the moment:
listen { ipaddr = 1.1.1.2 port = 0 interface = eth0 type = acct virtual_server = write_detail.blah.com }
Would that work? If not, why?
It should, as long as the listen section in server blah isn't identical (as it is in your examples). Ivan Kalik Kalik Informatika ISP
Hi Ivan Ned you help here Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/wireless-auth/linux-7v1x.pem" certificate_file = "/etc/wireless-auth/linux-7v1x.pem" CA_file = "/etc/wireless-auth/root.pem" private_key_password = "myettelap" dh_file = "/etc/wireless-auth/DH" random_file = "/etc/wireless-auth/random" fragment_size = 1024 include_length = yes check_crl = no } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/wireless-auth/linux-7v1x.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[280]: Failed to find module "eap". /etc/raddb/sites-enabled/default[227]: Errors parsing authenticate section. } Errors initializing modules
I my certs /pass directord is empty 2009/7/31 Devinder Singh <devinbhullar@gmail.com>:
Hi Ivan
Ned you help here Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/wireless-auth/linux-7v1x.pem" certificate_file = "/etc/wireless-auth/linux-7v1x.pem" CA_file = "/etc/wireless-auth/root.pem" private_key_password = "myettelap" dh_file = "/etc/wireless-auth/DH" random_file = "/etc/wireless-auth/random" fragment_size = 1024 include_length = yes check_crl = no } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/wireless-auth/linux-7v1x.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[280]: Failed to find module "eap". /etc/raddb/sites-enabled/default[227]: Errors parsing authenticate section. } Errors initializing modules
-- Devinder
Hi Ivan This is how generetd the certs and radiusd -X gives error linux-7v1x:/etc/raddb/certs # ./CA.root myettelap Generating a 1024 bit RSA private key ..++++++ .................++++++ writing new private key to 'pem/newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: MAC verified OK linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # cd pass linux-7v1x:/etc/raddb/certs/pass # ls root.pass linux-7v1x:/etc/raddb/certs/pass # vi root.pass linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # linux-7v1x:/etc/raddb/certs/pass # cd . linux-7v1x:/etc/raddb/certs/pass # cd .. linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # cd pem linux-7v1x:/etc/raddb/certs/pem # ls root.pem linux-7v1x:/etc/raddb/certs/pem # cd .. linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # cd /home/palette/Desktop/freeradius-1.0.4/raddb/certs/demoCA/ linux-7v1x:/home/palette/Desktop/freeradius-1.0.4/raddb/certs/demoCA # ls cacert.pem index.txt index.txt.old serial serial.old linux-7v1x:/home/palette/Desktop/freeradius-1.0.4/raddb/certs/demoCA # cp serial /etc/raddb/certs/demoCA/ linux-7v1x:/home/palette/Desktop/freeradius-1.0.4/raddb/certs/demoCA # cd /etc/raddb/certs/ linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # ./CA.server linux-7v1x devin myettelap Generating a 1024 bit RSA private key .............................................++++++ ................................++++++ writing new private key to 'pem/newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:linux-7v1x Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:1234 An optional company name []:Pal Using configuration from /etc/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 3 (0x3) Validity Not Before: Jul 31 09:28:11 2009 GMT Not After : Jul 31 09:28:11 2010 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = linux-7v1x X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Jul 31 09:28:11 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated MAC verified OK linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # cd pass linux-7v1x:/etc/raddb/certs/pass # ls root.pass linux-7v1x:/etc/raddb/certs/pass # cd .. linux-7v1x:/etc/raddb/certs # cd der linux-7v1x:/etc/raddb/certs/der # ls linux-7v1x.der root.der linux-7v1x:/etc/raddb/certs/der # cd . linux-7v1x:/etc/raddb/certs/der # cd .. linux-7v1x:/etc/raddb/certs # ls bootstrap CA.client CA.root client.cnf der p12 pem server.cnf CA.cient ca.cnf CA.server demoCA Makefile pass README xpextensions linux-7v1x:/etc/raddb/certs # ./CA.client palette-giau6pb devin myettelap Generating a 1024 bit RSA private key .......++++++ .......................................................++++++ writing new private key to 'pem/newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:palette-giau6pb Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:1234 An optional company name []: Using configuration from /etc/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4 (0x4) Validity Not Before: Jul 31 09:31:56 2009 GMT Not After : Jul 31 09:31:56 2010 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = palette-giau6pb X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jul 31 09:31:56 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated MAC verified OK linux-7v1x:/etc/raddb/certs # ls Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/wireless-auth/linux-7v1x.pem" certificate_file = "/etc/wireless-auth/linux-7v1x.pem" CA_file = "/etc/wireless-auth/root.pem" private_key_password = "myettelap" dh_file = "/etc/wireless-auth/DH" random_file = "/etc/wireless-auth/random" fragment_size = 1024 include_length = yes check_crl = no } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/wireless-auth/linux-7v1x.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[280]: Failed to find module "eap". /etc/raddb/sites-enabled/default[227]: Errors parsing authenticate section. } Errors initializing modules 2009/7/31 Devinder Singh <devinbhullar@gmail.com>:
Hi Ivan
Ned you help here Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/wireless-auth/linux-7v1x.pem" certificate_file = "/etc/wireless-auth/linux-7v1x.pem" CA_file = "/etc/wireless-auth/root.pem" private_key_password = "myettelap" dh_file = "/etc/wireless-auth/DH" random_file = "/etc/wireless-auth/random" fragment_size = 1024 include_length = yes check_crl = no } rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/wireless-auth/linux-7v1x.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/default[280]: Failed to find module "eap". /etc/raddb/sites-enabled/default[227]: Errors parsing authenticate section. } Errors initializing modules
-- Devinder
On Fri, 2009-07-31 at 09:35 +0100, Ivan Kalik wrote:
It should, as long as the listen section in server blah isn't identical (as it is in your examples).
This acct listen section is actually from the server "blah" config. The one in the other email was the original config before I made my buffered accounting adjustments. I just copied and pasted only this one part to spare everyone another long email. Thanks for answering my questions. Now to do some testing to see if it works. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.25-170.2.72.fc10.x86_64 x86_64 GNU/Linux 08:31:53 up 6 days, 23:58, 4 users, load average: 0.34, 0.34, 0.27
participants (4)
-
Devinder Singh -
Ivan Kalik -
Kanwar Ranbir Sandhu -
Rokkhan