Setting up FreeRADIUS accounting with IP address logging
Matthew Newton
mcn4 at leicester.ac.uk
Sun Apr 15 01:18:07 CEST 2012
Hi Johan,
On Sat, Apr 14, 2012 at 12:06:54PM +0200, Johan Swetzén wrote:
> I'm setting up wifi internet in my student dorm (90 people) and
> thought wpa2 enterprise with FreeRADIUS (version 2.1.8 running
> on Ubuntu) would be a good solution, together with the
> incredibly stable Linksys WRT54GL and dd-wrt. There are a few
> problems I cannot figure out though:
2.1.8 is pretty old. You should really run the latest 2.1.12,
which fixes a number of bugs. It's easy to get running on
debian/ubuntu, as the freeradius source comes with debian
packaging stuff. See
http://wiki.freeradius.org/Build#Building+Debian+packages
However, what you're trying to do will work on 2.1.8.
> 1. How to set up plain-text accounting.
> I saw in the configuration that the log directory is set to
> /var/log/freeradius/radacct so I created the directory and made
> writable (777 to be sure) but alas, there are no logs.
The default config creates this directory and writes logs to it.
If you have broken the default config, then it won't work. My
guess is a permissions problem, or you've fiddled with the config
a lot and broken it, or the NAS is not sending accounting packets.
You need to run freeradius as 'freeradius -X' and read the debug
output to see what's happening. Look for the 'detail' lines. If
you see no accounting packets arrive, work out what's broken on
your NAS or network.
> 2. How to get freeRADIUS to work with a DHCP server.
> I'm not asking about the experimental built-in DHCP server, as
> it seems very limited, but is it possible to somehow log the IP
> addresses that each user is assigned? We need to know who was
> using a certain IP address at a certain time.
a) see the answer to question 1.
b) The NAS should return the client's IP address in the
*accounting* packets, which you aren't currently getting, so you
won't see anything at the moment. The end-user's IP address, if
sent, should be in the Framed-IP-Address attribute. Their MAC
address should be in the accounting logs, and any auth logs, as
the Calling-Station-Id attribute.
> 3. How to connect using Windows.
> It's dead simple to connect to the network with linux, mac and
> smartphones but for Windows it seems impossible to find the
> right combination of settings. I haven't googled this issue so
> much, so maybe there's a simple answer. Also, it's a later
> problem.
If you're using Active Directory:
http://wiki.freeradius.org/freeradius_active_directory_integration_howto
If not, see the same page especially
http://wiki.freeradius.org/freeradius_active_directory_integration_howto#Configuration+of+users
and the MS-CHAP-Use-NTLM-Auth := 0 bit.
In short, you need to use PEAP with MS-CHAPv2, or EAP-TLS
(certificates/PKI), if you're using Windows <= 7.
> P.S. I have attached the radiusd.conf file at the end. I haven't changed much though.
That file is essentially useless, it's the whole config that
matters, and that's only a very small part. You need to send the
debug output from 'freeradius -X' next time.
Cheers
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list