The Class attributed is missing in some accounting packets sent from the same NAS.

Selahattin Cilek selahattin_cilek at hotmail.com
Tue Feb 7 18:17:39 CET 2017



On 07.02.2017 19:50, Brian Candler wrote:
> On 07/02/2017 16:20, Selahattin Cilek wrote:
>> I have been experimenting with the Class attribute to obtain the user's
>> true identity in order to do accounting and I realised that accounting
>> packets arriving from some users do not have this attribute.
>
> Did you definitely send the Class attribute in all the Access-Accept 
> packets? Then the NAS is broken.
I have the attribute and the in the 'radreply' table for the user:
DIALLO Class := DIALLO

However, I can't be sure if it I sen the the Class attribute in all the 
Access-Accept packets, I don't know how to make sure. I sometimes 
receive the attribute for the same user, and sometimes not, by the way.
>
> Did you not send the Class attribute in some Access-Accept packets? 
> Then your RADIUS config is broken.
There are currently about 100 users logged in and using. Most have the 
attribute in their accounting packets.
>
> To prove it one way or the other, use tcpdump / wireshark / radsniff. 
> Find an example of an accounting packet which does not have a Class 
> attribute, and then tie it back to the corresponding Access-Accept 
> packet.
>
> Aside: it's a good idea to add "-s 1500" to the tcpdump command line 
> ("-s 0" on Linux) to capture the whole packet. But in your case I 
> don't think they are truncated.
>
> Regards,
>
> Brian.
>
I have written a function in MySQL to retrieve the true identity of the 
users and edited the mysql/dialup.conf file.
This is the function:
CREATE DEFINER=`root`@`localhost` FUNCTION `hex_to_user_name`(
     in_hex_string  VARCHAR(64)
) RETURNS varchar(64) CHARSET latin5
BEGIN
     IF in_hex_string = ''
     THEN
         RETURN 'UNKNOWN';
     ELSE
         RETURN UNHEX(RIGHT(in_hex_string, LENGTH(in_hex_string) -2));
     END IF;
END

This is how I edited the query:
accounting_start_query = " INSERT INTO ${acct_table1} 
(acctsessionid,acctuniqueid,username,realm,nasipaddress,nasportid,nasporttype,acctstarttime,acctstoptime,acctsessiontime,acctauthentic,connectinfo_start,connectinfo_stop, 
acctinputoctets, 
acctoutputoctets,calledstationid,callingstationid,acctterminatecause,servicetype,framedprotocol,framedipaddress,acctstartdelay,acctstopdelay,xascendsessionsvrkey) 
VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', 
hex_to_user_name('%{Class}'), '%{Realm}', '%{NAS-IP-Address}', 
'%{NAS-Port}','%{NAS-Port-Type}', '%S', NULL,'0', '%{Acct-Authentic}', 
'%{Connect-Info}','', '0', '0','%{Called-Station-Id}', 
'%{Calling-Station-Id}', '','%{Service-Type}', '%{Framed-Protocol}', 
'%{Framed-IP-Address}','%{%{Acct-Delay-Time}:-0}', '0', 
'%{X-Ascend-Session-Svr-Key}')"

Can it be that MySQL cannot process the function in time, returning an 
empty string instead?

Regards, SCilek


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus




More information about the Freeradius-Users mailing list