Forward Accounting Packets to Fortiage - need help

Alan DeKok aland at deployingradius.com
Sat Apr 9 00:31:35 CEST 2016 

On Apr 8, 2016, at 2:56 PM, Eby Mani <eby_km at yahoo.com> wrote:
> freeRadius is configured with mysql and users are authenticated using EAP - PEAP without certificates. 
> Once users are authenticated thru radius, ip address is released thru another dhcp server. 

  OK...

> Issue 1,
> When Users are getting authenticated, freeradius isn't sending Class attribute of the usergroup/user in Access-Accept message. Only User-Name is sent to NAS. 

  That is a common problem, and typically because you're running rules in the first few packets that aren't run for the last one.

  e.g. you may have use_tunneled_reply = no.

> 1, radtest from the server return class attributes of user/usergroup.
> 2, when running server in debug mode and authenticating from NAS, it doesn't.

  How about reading the debug log, and seeing what it does?

  The server prints out rather a lot more than just the packets it's receiving, and replies it sends.  It prints out WHY it's sending a particular reply.

> Is this the default behaviour ?. How do i tell freeradius to send Class attribute of usergroup in Access-Accept ?.

  That depends on where you're using the SQL module.  The "use_tunneled_reply" configuration might help.

> Issue 2,
> freeradius is not sending accounting copies to Fortigate. Having Added "realm {}" in proxy.conf, added "detailfile = ${radacctdir}/detail" in detail file and included "update control {}" in preacct section of copy-acct-to-home-server file and linked the same to sites-enabled folder. I'm not sure if i have missed anything. 

  You need to set Proxy-To-Realm in order to proxy packets.

> One might ask why send accounting again, Fortigate can have only one RSSO Agent, thus sending accounting packets from multiple NAS is not possible. Also I'm planning to use some old gear that doesn't support sending accounting to another server. Sending accounting copies from freeradius will eliminate various admin overheads.
> 
> Attached config files.

  No.

  Attach the debug output as suggested in the FAQ, "man" pages, web pages, and daily on this list.

  Alan DeKok.

More information about the Freeradius-Users mailing list