Simple Accounting 'radrelay' functionality - Version 2.1.6
Craig Campbell
craig at ccraft.ca
Mon Aug 31 20:52:38 CEST 2009
Hi.
FreeRadius 2.1.6 running in Redhat Linux AS5.3
We are upgrading from ancient radius servers to current, and discovered the
radrelay program no longer exists.
Despite my best efforts, I have failed to configure relaying correctly. I
think I am including below the required changes. I hope someone that has
done this successfully can easily see where I went wrong. (Thanks in
advance!)
We have two (2) radius servers (Redhat Linux AS5), radius-a and radius-b and
wish to replicate
accounting info between them.
(Previously radius-1 ran radrelay to radius-2 and radius-2 ran radrelay to
radius-1 -- just to be clear)
For my testing, I am attempting to get radius-a to replicate to radius-b
(Get
things working in 1 direction first.)
I have created a symbolic link in /usr/local/etc/raddb/sites-enabled/ to
/usr/local/etc/raddb/sites-available/copy-acct-to-home-server
I have ADDED the following to (and REMOVED NOTHING FROM) the
proxy.conf file,
home_server radius-b {
type = acct
ipaddr = 192.168.1.226
port = 1813
secret = booboo
require_message_authenticator = no
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
coa {
# Initial retransmit interval: 1..5
irt = 2
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
mrc = 5
# Maximum Retransmit Duration: 5..60
mrd = 30
}
}
home_server_pool my_acct_relay {
type = fail-over
home_server = radius-b
}
realm relay_realm {
acct_pool = my_acct_relay
}
~~~~~~~
I have modified the file
/usr/local/etc/raddb/sites-enabled/copy-to-home-server as follows,
server copy-acct-to-home-server {
listen {
type = detail
#CEC filename = ${radacctdir}/detail
filename = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
load_factor = 10
}
preacct {
#CEC Added this from web searches...
update control {
Proxy-To-Realm := relay_realm
}
preprocess
suffix
files
}
~~~~~~~
Accounting packets are being sent from 192.168.1.101 to radius-a and are
logged.
No IP traffic has been detected from from radius-a to radius-b.
The detail file I expect is being updated.
No log files of the form,
${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
and ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
have been created, although I thought they should have been.
The startup log has no obvious errors I can see,
FreeRADIUS Version 2.1.6, for host x86_64-unknown-linux-gnu, built on Aug 28
2009 at 09:39:34
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/usr/local/etc/raddb/sites-enabled/copy-acct-to-home-server
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
home_server radius-b {
ipaddr = 192.168.1.226
port = 1813
type = "acct"
secret = "booboo"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_acct_relay {
type = fail-over
home_server = radius-b
}
realm relay_realm {
acct_pool = my_acct_relay
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 65.119.114.4 {
require_message_authenticator = no
secret = "s3t6r!synv3rs3"
shortname = "114.4"
}
client 65.119.115.2 {
require_message_authenticator = no
secret = "s3t6r!synv3rs3"
shortname = "115.2"
}
client 65.119.115.7 {
require_message_authenticator = no
secret = "s3t6r!synv3rs3"
shortname = "115.7"
}
client 172.16.16.14 {
require_message_authenticator = no
secret = "booboo"
shortname = "16.14"
}
client 172.16.17.20 {
require_message_authenticator = no
secret = "booboo"
shortname = "17.20"
}
client 192.168.1.100 {
require_message_authenticator = no
secret = "booboo"
shortname = "BRAS_100"
nastype = "juniper"
}
client 192.168.1.101 {
require_message_authenticator = no
secret = "booboo"
shortname = "BRAS_100"
nastype = "juniper"
}
client 199.0.80.1 {
require_message_authenticator = no
secret = "booboo"
shortname = "BRAS_100"
nastype = "juniper"
}
client 192.168.1.103 {
require_message_authenticator = no
secret = "booboo"
shortname = "radius-1"
}
client 192.168.1.104 {
require_message_authenticator = no
secret = "booboo"
shortname = "radius-2"
}
client 192.168.1.225 {
require_message_authenticator = no
secret = "booboo"
shortname = "radius-a"
}
client 192.168.1.226 {
require_message_authenticator = no
secret = "booboo"
shortname = "radius-b"
}
client 206.48.23.170 {
require_message_authenticator = no
secret = "booboo"
shortname = "23.170"
}
client 209.88.128.5 {
require_message_authenticator = no
secret = "booboo"
shortname = "128.5"
}
client 209.88.128.6 {
require_message_authenticator = no
secret = "booboo"
shortname = "128.6"
}
client 209.88.128.7 {
require_message_authenticator = no
secret = "booboo"
shortname = "128.7"
}
client 209.88.128.10 {
require_message_authenticator = no
secret = "booboo"
shortname = "128.10"
}
client 209.88.128.73 {
require_message_authenticator = no
secret = "booboo"
shortname = "access1"
}
client 209.88.128.74 {
require_message_authenticator = no
secret = "booboo"
shortname = "access2"
nastype = "cisco"
login = ""
password = "setarsnmp"
}
client 209.88.128.75 {
require_message_authenticator = no
secret = "booboo"
shortname = "access3"
}
client 209.88.128.76 {
require_message_authenticator = no
secret = "booboo"
shortname = "access4"
}
client 209.88.128.77 {
require_message_authenticator = no
secret = "booboo"
shortname = "access5"
}
client 209.88.128.78 {
require_message_authenticator = no
secret = "booboo"
shortname = "access6"
}
client 209.88.128.131 {
require_message_authenticator = no
secret = "booboo"
shortname = "128.131"
}
client 209.88.129.61 {
require_message_authenticator = no
secret = "booboo"
shortname = "129.61"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server copy-acct-to-home-server {
modules {
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_always
Module: Instantiating ok
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
Module: Checking pre-proxy {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating pre_proxy_log
detail pre_proxy_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Checking post-proxy {...} for more modules to load
Module: Instantiating post_proxy_log
detail post_proxy_log {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
} # modules
} # server
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_attr_rewrite
Module: Instantiating hexconvert
attr_rewrite hexconvert {
attribute = "User-Name"
searchfor = "^.*@ftth.aw$"
searchin = "packet"
replacewith = "%{exec:/usr/local/sbin/hexconvert -lX %{User-Name} }"
append = no
ignore_case = no
new_attribute = no
max_matches = 1
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Instantiating sanenasport
attr_rewrite sanenasport {
attribute = "NAS-Port"
searchfor = "^.*"
searchin = "packet"
replacewith = "%{Acct-Session-Id}"
append = no
ignore_case = no
new_attribute = no
max_matches = 1
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating nameonly
attr_rewrite nameonly {
attribute = "User-Name"
searchfor = "@.*$"
searchin = "packet"
replacewith = ""
append = no
ignore_case = no
new_attribute = no
max_matches = 1
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/var/run/radiusd/radiusd.sock"
}
}
listen {
type = "detail"
listen {
filename =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
load_factor = 10
poll_interval = 1
retry_interval = 30
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on detail file
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d as server
copy-acct-to-home-server
Listening on proxy address * port 1814
Waking up in 0.9 seconds.
rad_recv: Accounting-Request packet from host 192.168.1.101 port 50125,
id=70, length=245
Acct-Status-Type = Start
User-Name = "nathanjoe at comfort"
Event-Timestamp = "Aug 31 2009 13:40:56 AST"
Acct-Delay-Time = 20
NAS-Identifier = "ERX-2"
Acct-Session-Id = "0314462397"
NAS-IP-Address = 192.168.1.101
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = None
ERX-Pppoe-Description = "pppoe 00:90:d0:63:df:79"
Framed-IP-Address = 201.229.46.219
Framed-IP-Netmask = 255.255.255.255
ERX-Ingress-Policy-Name = "COMFORT_UP"
ERX-Egress-Policy-Name = "COMFORT_DOWN"
Calling-Station-Id = "ERX-08000000269"
NAS-Port-Type = Ethernet
NAS-Port = 2147483917
NAS-Port-Id = "GigabitEthernet 8/0.269:269"
Acct-Authentic = RADIUS
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 2147483917,Client-IP-Address =
192.168.1.101,NAS-IP-Address = 192.168.1.101,Acct-Session-Id =
"0314462397",User-Name = "nathanjoe at comfort"'
[acct_unique] Acct-Unique-Session-ID = "526c378c1dcaa12d".
++[acct_unique] returns ok
[sanenasport] expand: ^.* -> ^.*
[sanenasport] expand: %{Acct-Session-Id} -> 0314462397
sanenasport: Changed value for attribute NAS-Port from '?' to '0314462397'
sanenasport: Could not find value pair for attribute NAS-Port
++[sanenasport] returns ok
[hexconvert] expand: ^.*@ftth.aw$ -> ^.*@ftth.aw$
hexconvert: Does not match: User-Name = nathanjoe at comfort
++[hexconvert] returns ok
[suffix] Looking up realm "comfort" for User-Name = "nathanjoe at comfort"
[suffix] No such realm "comfort"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/192.168.1.101/detail-20090831
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.1.101/detail-20090831
[detail] expand: %t -> Mon Aug 31 13:41:10 2009
++[detail] returns ok
++[unix] returns ok
[nameonly] expand: @.*$ -> @.*$
nameonly: Changed value for attribute User-Name from 'nathanjoe at comfort' to
'nathanjoe'
++[nameonly] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> nathanjoe
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> nathanjoe
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 70 to 192.168.1.101 port 50125
Finished request 0.
Cleaning up request 0 ID 70 with timestamp +1
Going to the next request
Waking up in 0.3 seconds.
__________ Information from ESET Smart Security, version of virus signature
__________ Information from ESET Smart Security, version of virus signature database 4385 (20090831) __________
The message was checked by ESET Smart Security.
http://www.eset.com
More information about the Freeradius-Users
mailing list