Accounting question

Martin Pauly pauly at hrz.uni-marburg.de
Wed Jun 15 18:47:42 CEST 2005 

Hello,

I think my question ist quite related to yours although we do
EAP-TTLS, i.e. PAP inside the tunnel.

> I have a question regarding the way accounting is done. I configured
> freeradius 1.0.1 with openssl and mysql support on a Fedora Core 3
> system. I'm using it with PEAP and TLS for wireless authentication.
> The authentication works fine, but the accounting packets are always
> missing the username and the IPs of client and NAS seem to be
> interchanged.

- as for User-Name, freeradius normally logs the User-Name
  outside of the tunnel. Use 
  use_tunneled_reply = yes
  in the relevant portion of eap.conf (thanks to Michael Poser)

- IP-Address is a bit more nasty:
  NAS-IP-Address should indeed indicate the IP Address of your wireless AP
  and may be used in alternation with NAS-Identifier
  AFAIK, Client-IP-Address refers to a RADIUS client, i.e. your AP or a 
  RADIUS proxy server

The WLAN supplicant's IP-Address never shows up, simply because there is none,
at least not at the time of authentication.
The entire 802.1x authentication is done on the link layer, i.e. layer 2.
In theory, the wireless client could go ahead and talk IPX, DECNET, AppleTalk or
whatever protocols are available. In practice, however, the vast majority
of WLAN CLients nowadays will use IP and IPv4 in particular -- and of course,
you need the assigned IP addresses in your logfile (at least we do).
Most sites will hand out these addresses via DHCP after the authentication 
is done.

So I'm going to cook up some simple perl programs to integrate 
ISC dhcpd's logfiles with those from freeradius' and probably 
simulate a Framed-IP-Address in the detail file.

What' a bit funny: Our Cisco AP _does_ record supplicant's IP addresses
internally, you can view them with some IOS command. It would indeed
be convenient to make it send the address along with every Accounting
STOP-Packet, but as of yet we haven't found a way.

Any comments or suggestions on this?
Martin  

-- 
  Dr. Martin Pauly     Fax:    49-6421-28-26994            
  HRZ Univ. Marburg    Phone:  49-6421-28-23527
  Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE  
  D-35032 Marburg

More information about the Freeradius-Users mailing list