help required - freerdius 3 - accounting to fortigate - user group name not received on fortigate

[Eby Mani]

 Thanks Alan,

> I guess this needs to be said, too: PLEASE DON"T INCLUDE DOZENS OF USELESS PACKETS IN THE DEBUG OUTPUT.

Sorry about that, i followed https://wiki.freeradius.org/guide/Users-Mailing-List, and don't have a clue what is useless packets that need to be removed when submitting.

> So... you didn't configure the server to to add the Fortigate attributes?
> If you had done that, the debug log would show it adding the Fortigate attributes.

No, fortigare specific attributes were not configured on FR2.

Wireless system does 802.1x auth against freeradius, freeradius sends accounting packets to fortigate lan port, fortigate is configured for RSSO, read user-name, client ip and user group(Class) from radius accounting packets.

On mysql, radgroupreply table have the following values.
+----+------------------+-----------+----+------------------+
| id | groupname | attribute | op | value |
+----+------------------+-----------+----+------------------+
| 1 | PG_Management | Class | = | pg_management |
| 2 | PG_Support | Class | = | support_team |
| 3 | Managers | Class | = | full_access |
| 4 | Employees | Class | = | medium_access |
| 5 | Projects | Class | = | res_access |
| 6 | Temp_Workers | Class | = | low_access |
| 7 | devices | Class | = | servers_only |
+----+------------------+-----------+----+------------------+

My understanding is FR3 should send attributes, values, etc.. in radgroupreply, back / to other accounting servers by default. i don't know if this is happening or not.

> So what did you actually do? And don't say "I configured it to send packets". Describe WHICH file you modified, and WHAT you did to that file.

Modifications done to FR3 files are based on backup of FR2 config, and whatever that was documented earlier.

######################################
After mysql and freeradius istallation,

1, Imported freeradius MySQL database schemea

modified the following freeradius sections;

2, removed the “file” directive and add the “sql” one in /etc/freeradius/3.0/sites-enabled/default

authorize {
.....
sql
....
}
accounting {
......
sql
....
}
post-auth {
......
sql
....
}
session{
......
sql
.....}

3, /etc/freeradius/3.0/mods-enabled/sql

sql {
driver = "rlm_sql_${dialect}"
dialect = "mysql"

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "radiuspassword"

radius_db = "radius"
read_clients = yes
client_table = "nas"

mysql {
# tls {
# we are not using tls for wireless, some legacy bespoke devices.
# }

}

4, added following to /etc/freeradius/3.0/proxy.conf

realm FortigateFW {
accthost = IP_removed
secret = test
}

5, added following to /etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server

preacct {
preprocess

update control {
Proxy-To-Realm := FortigateFW
}
}

6, finally added following entry in authorize section in /etc/freeradius/3.0/sites-enabled/default to permit users in mentioned group to connect to any wireless networks.

authorize {

preprocess

if("%{sql:SELECT COUNT(*) FROM radusergroup,userinfo WHERE radusergroup.username= '%{User-Name}' AND (radusergroup.groupname = 'PG_Support' OR radusergroup.groupname = 'PG_Management') OR userinfo.$
ok
}
else {
reject
}
}

#######################################################

     On Friday, 10 March, 2023, 11:58:41 pm IST, Alan DeKok <aland at deployingradius.com> wrote:  
 
 On Mar 9, 2023, at 11:46 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> debug output

  I guess this needs to be said, too: PLEASE DON"T INCLUDE DOZENS OF USELESS PACKETS IN THE DEBUG OUTPUT.

  If you're asking us to help with debugging accounting, it doesn't help to post debug output with tons of EAP packets.  This just shows that you can't be bothered trying to understand the problem, or to narrow it down.  Instead, you just dump a load of text on the list, and hope that we do all of the work.

  When you make it hard for people to help you, they are likely to stop helping you.

  In any case the debug log shows this:

> detail (/var/log/freeradius/radacct/detail): Polling for detail file
> detail (/var/log/freeradius/radacct/detail): Renaming /var/log/freeradius/radacct/detail -> /var/log/freeradius/radacct/detail.work
> detail (/var/log/freeradius/radacct/detail): Read packet from /var/log/freeradius/radacct/detail.work
> Acct-Status-Type = Stop
> NAS-IP-Address = 10.225.251.10
> User-Name = "wireless_admin"
> NAS-Port = 0
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "removed"
> Called-Station-Id = "removed"
> Framed-IP-Address = 10.225.251.22
> Acct-Multi-Session-Id = "removed-1678388861"
> Acct-Session-Id = "removed-removed-640A2E84-A66C5"
> Acct-Delay-Time = 0
> Aruba-Essid-Name = "wtf"
> Aruba-Location-Id = "Building-A"
> Aruba-User-Vlan = 51
> Acct-Input-Octets = 11865
> Acct-Output-Octets = 1761
> Acct-Input-Packets = 152
> Acct-Output-Packets = 9
> Acct-Terminate-Cause = Idle-Timeout
> Acct-Session-Time = 72
> Event-Timestamp = "Mar 10 2023 00:39:00 UTC"
> Tmp-String-9 = "ai:"
> Acct-Unique-Session-Id = "6f55ff1221df1416b67dad938cafb1c6"
> Packet-Original-Timestamp = "Mar 10 2023 00:39:00 UTC"
> Packet-Transmit-Counter = 1
> (13) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
> (13) preacct {
> (13) [preprocess] = ok
> (13) update control {
> (13) Proxy-To-Realm := FortigateFW
> (13) } # update control = noop
> (13) suffix: Checking for suffix after "@"
> (13) suffix: No '@' in User-Name = "wireless_admin", looking up realm NULL
> (13) suffix: No such realm "NULL"
> (13) [suffix] = noop
> (13) [files] = noop
> (13) } # preacct = ok
> (13) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/copy-acct-to-home-server
> (13) accounting {
> (13) [ok] = ok
> (13) } # accounting = ok
> (13) Starting proxy to home server IP_removed port 1813
> (13) Proxying request to home server IP_removed port 1813 timeout 14.000000
> Waking up in 0.3 seconds.
> (13) Clearing exUTCing &reply: attributes
> (13) detail (/var/log/freeradius/radacct/detail): Done Accounting-Request packet.
> (13) Finished request
> (13) Cleaning up request packet ID 1 with timestamp +84

  So... you didn't configure the server to to add the Fortigate attributes?

  If you had done that, the debug log would show it adding the Fortigate attributes.

  So what did you actually do?  And don't say "I configured it to send packets".  Describe WHICH file you modified, and WHAT you did to that file.

  If you want v3 to send attributes in a packet, then it's really as simply as editing the virtual server to add those attributes.  You didn't do that.

  Alan DeKok.