Accounting Packet not sent
aland at deployingradius.com
Tue Feb 16 15:02:56 CET 2021
On Feb 16, 2021, at 8:38 AM, Michael Fischer <michael at webfischer.at> wrote:
> My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
> backend. FreeRadius should then send an accounting packet to a
> FortiGate firewall where a SSO agent is running.
The server doesn't really originate accounting packets.
> The authentication part is working find, a user can connect to the
> As far as I understood it, I should configure FreeRadius to write a
> detail file which is then parsed an an accounting package sent to the
> Fortigate firewall.
Well... maybe. But you can't write an Access-Accept packet, and have it magically turn into an Accounting-Request packet.
> Reading the detail file seems to work fine, but no accounting package
> is sent to the FortiGate firewall (I even checked using Wireshark). See
> a part of the debug-log here:
> detail (/var/log/radius/radacct/detail-*): Read packet from
> Packet-Type = Access-Accept
That's not an Accounting packet, is it?
Further, that packet doesn't contain any normal accounting attributes.
> Class = 0x54657374
> User-Name = "fimi"
> MS-MPPE-Recv-Key =
> MS-MPPE-Send-Key =
> EAP-MSK =
> EAP-EMSK =
You really don't want to send EAP-MSK and EAP-EMSK over the wire to another system.
TBH, just run "radclient" for now. Or, use the Perl / Python modules to send RADIUS packets. The server isn't really designed to change packet types like this.
We've fixed all of this in v4, where this goal is pretty much trivial to do. But we're still a long way from releasing v4.
More information about the Freeradius-Users