help required - freerdius 3 - accounting to fortigate - user group name not received on fortigate

Fri Mar 10 18:28:36 UTC 2023

On Mar 9, 2023, at 11:46 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> debug output

  I guess this needs to be said, too: PLEASE DON"T INCLUDE DOZENS OF USELESS PACKETS IN THE DEBUG OUTPUT.

  If you're asking us to help with debugging accounting, it doesn't help to post debug output with tons of EAP packets.  This just shows that you can't be bothered trying to understand the problem, or to narrow it down.  Instead, you just dump a load of text on the list, and hope that we do all of the work.

  When you make it hard for people to help you, they are likely to stop helping you.

  In any case the debug log shows this:

> detail (/var/log/freeradius/radacct/detail): Polling for detail file
> detail (/var/log/freeradius/radacct/detail): Renaming /var/log/freeradius/radacct/detail -> /var/log/freeradius/radacct/detail.work
> detail (/var/log/freeradius/radacct/detail): Read packet from /var/log/freeradius/radacct/detail.work
> Acct-Status-Type = Stop
> NAS-IP-Address = 10.225.251.10
> User-Name = "wireless_admin"
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "removed"
> Called-Station-Id = "removed"
> Framed-IP-Address = 10.225.251.22
> Acct-Multi-Session-Id = "removed-1678388861"
> Acct-Session-Id = "removed-removed-640A2E84-A66C5"
> Acct-Delay-Time = 0
> Aruba-Essid-Name = "wtf"
> Aruba-Location-Id = "Building-A"
> Aruba-User-Vlan = 51
> Acct-Input-Octets = 11865
> Acct-Output-Octets = 1761
> Acct-Input-Packets = 152
> Acct-Output-Packets = 9
> Acct-Terminate-Cause = Idle-Timeout
> Acct-Session-Time = 72
> Event-Timestamp = "Mar 10 2023 00:39:00 UTC"
> Tmp-String-9 = "ai:"
> Acct-Unique-Session-Id = "6f55ff1221df1416b67dad938cafb1c6"
> Packet-Original-Timestamp = "Mar 10 2023 00:39:00 UTC"
> Packet-Transmit-Counter = 1
> (13) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
> (13) preacct {
> (13) [preprocess] = ok
> (13) update control {
> (13) Proxy-To-Realm := FortigateFW
> (13) } # update control = noop
> (13) suffix: Checking for suffix after "@"
> (13) suffix: No '@' in User-Name = "wireless_admin", looking up realm NULL
> (13) suffix: No such realm "NULL"
> (13) [suffix] = noop
> (13) [files] = noop
> (13) } # preacct = ok
> (13) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
> (13) accounting {
> (13) [ok] = ok
> (13) } # accounting = ok
> (13) Starting proxy to home server IP_removed port 1813
> (13) Proxying request to home server IP_removed port 1813 timeout 14.000000
> Waking up in 0.3 seconds.
> (13) Clearing exUTCing &reply: attributes
> (13) detail (/var/log/freeradius/radacct/detail): Done Accounting-Request packet.
> (13) Finished request
> (13) Cleaning up request packet ID 1 with timestamp +84

  So... you didn't configure the server to to add the Fortigate attributes?

  If you had done that, the debug log would show it adding the Fortigate attributes.

  So what did you actually do?  And don't say "I configured it to send packets".  Describe WHICH file you modified, and WHAT you did to that file.

  If you want v3 to send attributes in a packet, then it's really as simply as editing the virtual server to add those attributes.  You didn't do that.

  Alan DeKok.