Accounting question
David Peterson
David.Peterson at acc-corp.net
Wed Dec 16 20:21:05 CET 2009
OK I added the reply update and see the acknowledgement go out:
Sending Access-Accept of id 8 to 172.16.4.2 port 1812
Service-Type = Framed-User
User-Name = "testtest"
Framed-Filter-Id = "Bronze"
Class = 0x7465737474657374
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
WiMAX-IP-Technology = CMIP4
WiMAX-hHA-IP-MIP4 = 192.168.10.3
WiMAX-MSK = 0x686ea51099d982afffe6d3555b34d6a9ae889284f3e2db6eeab05848838fd290d00925dd068d797a09eb3b4d17b5a90ad00ab5291ce7ba9a519440b480bb3943
WiMAX-MN-hHA-MIP4-Key = 0x4e96fdcb6522057bfefbe762e274dbc33640f2ff
WiMAX-MN-hHA-MIP4-SPI = 1824920104
However the NAS is overrriding the username and replying with:
rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=31, length=262
Acct-Status-Type = Start
WiMAX-Beginning-Of-Session = 1
Class = 0x7465737474657374
WiMAX-IP-Technology = Reserved-0
Acct-Session-Id = "00-12-cf-c3-fb-8c16\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
Framed-IP-Address = 64.186.195.5
User-Name = "{am=1}2D0E1FBA7E14896968495D723D41AC48 at test.com"
Calling-Station-Id = "00-12-cf-c3-fb-8c"
NAS-Identifier = "WC_LAB"
WiMAX-hHA-IP-MIP4 = 192.168.10.3
NAS-IP-Address = 172.16.4.2
WiMAX-BS-Id = 0x000002030209
Framed-Pool = "alias"
Event-Timestamp = "Dec 16 2009 13:15:14 CST"
WiMAX-GMT-Timezone-offset = 21600
Acct-Authentic = RADIUS
Any other thoughts?
David
________________________________________
From: Arran Cudbard-Bell [A.Cudbard-Bell at sussex.ac.uk]
Sent: Tuesday, December 15, 2009 5:32 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: Re: Accounting question
David Peterson wrote:
> Forgive my newbieness but where would I put that code? I tried adding it to the sites-available/default file under accounting but I am guessing that's not right.
That'll stop any potential problems arising from the malformed Acct-Session-ID yes.
Regarding the username, try putting the following in postauth.
update reply {
User-Name := 'testtest'
Class := 'testtest'
}
See if either of those values are included in accounting sessions. If they are then there are ways to work around the User-Name in accounting packets.
-Arran
> David
>
> -----Original Message-----
> From: Arran Cudbard-Bell [mailto:A.Cudbard-Bell at sussex.ac.uk]
> Sent: Tuesday, December 15, 2009 10:56 AM
> To: David Peterson-WirelessConnections; FreeRadius users mailing list
> Subject: Re: Accounting question
>
> David Peterson wrote:
>> Here is the accounting packet information I am getting:
>> rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5,
>> length=239
>> Acct-Status-Type = Start
>> WiMAX-Beginning-Of-Session = 1
>> WiMAX-IP-Technology = Reserved-0
>> Acct-Session-Id =
>> "00-12-cf-c3-fb-8c3\000\000\000\000\000\000\000\000\000\000\000\000\000\000\
>> 000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000"
>> Framed-IP-Address = 64.186.195.5
>> User-Name = "{am=1}33AC5579CE57217426E7434FA60E4E65 at test.com"
>> Calling-Station-Id = "00-12-cf-c3-fb-8c"
>> NAS-Identifier = "WC_LAB"
>> NAS-IP-Address = 172.16.4.2
>> WiMAX-BS-Id = 0x000002030209
>> Framed-Pool = "alias"
>> Event-Timestamp = "Dec 15 2009 09:04:15 CST"
>> WiMAX-GMT-Timezone-offset = 21600
>> Acct-Authentic = RADIUS
>>
>> What I don't get is why the authentication works with clear text and the
>> accounting has the "hex stuff". Is this pretty much controlled by the NAS?
>
> The "hex stuff" is the NAS appending 31 null chars to the session id.
> FreeRADIUS is converting the unprintable characters into escape codes so that they're visible.
>
> The RFC recommendation is that:
>
> "The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters."
>
> Which SHOULD limit it to printable chars.
>
> Really this is something your NAS vendor should fix, as it's a bug in their code.
>
> ...Though if you really want you can trim off the superfluous nulls with:
>
> if(Acct-Session-ID =~ /(.*)/){
> update request {
> Acct-Session-ID := "%{1}"
> }
> }
>
>
> -Arran
>
>
>> David
>>
>> -----Original Message-----
>> From: Alan DeKok [mailto:aland at deployingradius.com]
>> Sent: Tuesday, December 15, 2009 9:44 AM
>> To: David Peterson-WirelessConnections; FreeRadius users mailing list
>> Subject: Re: Accounting question
>>
>> David Peterson wrote:
>>> From what I can determine, the username is encrypted even though the
>>> authentication is done in clear text during the EAP authentication.
>> It's not "encrypted". My guess is that you are using WiMAX.
>>
>> As always, run the server in debugging mode to see what's going on.
>>
>> But if the NAS refuses to send a usable User-Name in an accounting
>> packet, your only solution is to somehow write the *real* User-Name &&
>> the hex stuff into an SQL table. Then, correlated them later when you
>> receive the accounting packet.
>>
>> Alan DeKok.
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list