Accounting assisstance

Timothy M Butterworth timothy.m.butterworth at gmail.com
Mon Apr 28 03:26:41 UTC 2025 

On Sun, Apr 27, 2025 at 10:45 PM Timothy M Butterworth <
timothy.m.butterworth at gmail.com> wrote:

> Hello,
>
> I am trying to set up accounting to log commands entered into a switch.
> What log file will FreeRADIUS log the accounting commands too?
>
> Here is my config:
>
> Cisco 3550-EMI
> username tmb privilege 15 secret 5 <Removed>
>
> aaa new-model
>
> aaa authentication login default group radius local
> aaa authorization exec default group radius if-authenticated local
> aaa accounting exec default start-stop group radius
> aaa accounting commands 1 default stop-only group radius
>
> aaa session-id common
>
> ip radius source-interface Vlan60
> radius-server host 10.0.0.1 auth-port 1812 acct-port 1813
> radius-server key 7 <Removed>
>
> FreeRADIUS Config:
> ### Configure listening IP Socket
> sudo vim /usr/lib/systemd/system/freeradius.service
> ExecStart=/usr/sbin/freeradius -f $FREERADIUS_OPTIONS -i 10.0.0.1 -p
> 1812-1813
>
> # Define Listening socket
> sudo vim  /etc/freeradius/3.0/radiusd.conf
>
> listen {
>         ipv4addr = 10.0.0.1,
>         port = 1812,
>         type = auth
> }
>
> listen {
>         ipv4addr = 10.0.0.1,
>         port = 1813,
>         type = acct
> }
>
> ### Free RADIUS Configuration
> sudo vim /etc/freeradius/3.0/clients.conf
>
> client 10.0.0.0/8 {
> ipv4addr = 10.0.0.0/8
> secret = FreeRadiusSecret#1
> nastype = cisco
> shortname = Butter.net
> }
>
> ### FreeRADIUS User Config
> sudo vim /etc/freeradius/3.0/users
>
> tmb Cleartext-Password := "620978"
>     Service-Type = NAS-Prompt-User,
>     Cisco-AVPair = "shell:priv-lvl=15"
>
> # FreeRADIUS group config
>
> DEFAULT Group == "cisco-rw"
>         Service-Type = NAS-Prompt-User,
>         Cisco-AVPair == 'shell:priv-lvl=15',
>         User-Name = tmb
>
> I see that both sockets have been bound:
> netstat -l -n | grep 181
> udp        0      0 10.0.0.1:1812           0.0.0.0:*
>
> udp        0      0 10.0.0.1:1813           0.0.0.0:*
>
> I have AAA and RADIUS debugging enabled but it is not showing me anything.
> Core-3550-EMI-1#show debugging
> Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
> Time source is NTP, 22:34:52.993 Eastern Sun Apr 27 2025
>
> General OS:
>  AAA Accounting debugging is on
>
> Radius protocol debugging is on
> Radius packet protocol (accounting) debugging is on
>
> show log:
> 000621: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EXEC(00000006): Pick method
> list 'default'
> 000622: Apr 27 22:34:09.147 Eastern: AAA/ACCT/SETMLIST(00000006): Handle
> 0, mlist 0250E700, Name default
> 000623: Apr 27 22:34:09.147 Eastern: Getting session id for EXEC(00000006)
> : db=23DA658
> 000624: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EXEC(00000006): add, count 2
> 000625: Apr 27 22:34:09.147 Eastern: AAA/ACCT/EVENT/(00000006): EXEC UP
> 000626: Apr 27 22:34:09.151 Eastern: AAA/ACCT/EXEC(00000006): Queueing
> record is START
> 000627: Apr 27 22:34:09.151 Eastern: AAA/ACCT(00000006): Accounting
> method=radius (RADIUS)
> 000663: Apr 27 22:34:28.107 Eastern: AAA/ACCT/EXEC(00000006): START
> protocol reply FAIL
> 000664: Apr 27 22:34:28.107 Eastern: AAA/ACCT(00000006): Accounting
> method=NOT_SET
>
> 000631: Apr 27 22:34:09.151 Eastern: RADIUS/ENCODE: Best Local IP-Address
> 10.1.1.1 for Radius-Server 10.0.0.1
> 000632: Apr 27 22:34:09.151 Eastern: RADIUS(00000006): Send
> Accounting-Request to 10.0.0.1:1813 id 1646/11, len 90
> 000633: Apr 27 22:34:09.151 Eastern: RADIUS:  authenticator 3A F3 6C 4B 06
> 17 9B 41 - 77 74 DB 8A 2E 94 2D 6C
> 000634: Apr 27 22:34:09.151 Eastern: RADIUS:  Acct-Session-Id     [44]  10
>  "00000006"
> 000635: Apr 27 22:34:09.151 Eastern: RADIUS:  User-Name           [1]   5
>   "tmb"
> 000636: Apr 27 22:34:09.151 Eastern: RADIUS:  Acct-Authentic      [45]  6
>   RADIUS                    [1]
> 000637: Apr 27 22:34:09.155 Eastern: RADIUS:  Acct-Status-Type    [40]  6
>   Start                     [1]
> 000638: Apr 27 22:34:09.155 Eastern: RADIUS:  NAS-Port            [5]   6
>   0
> 000639: Apr 27 22:34:09.155 Eastern: RADIUS:  NAS-Port-Id         [87]  6
>   "tty0"
> 000640: Apr 27 22:34:09.155 Eastern: RADIUS:  NAS-Port-Type       [61]  6
>   Async                     [0]
> 000641: Apr 27 22:34:09.155 Eastern: RADIUS:  Calling-Station-Id  [31]  7
>   "async"
> 000642: Apr 27 22:34:09.155 Eastern: RADIUS:  Service-Type        [6]   6
>   NAS Prompt                [7]
> 000643: Apr 27 22:34:09.155 Eastern: RADIUS:  NAS-IP-Address      [4]   6
>   10.1.1.1
> 000644: Apr 27 22:34:09.155 Eastern: RADIUS:  Acct-Delay-Time     [41]  6
>   0
> 000645: Apr 27 22:34:09.155 Eastern: RADIUS(00000006): Started 5 sec
> timeout
> 000646: Apr 27 22:34:13.771 Eastern: RADIUS(00000006): Request timed out
> 000647: Apr 27 22:34:13.771 Eastern: RADIUS: acct-delay-time for 800043CC
> (at 80004420) now 4
> 000648: Apr 27 22:34:13.771 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
> for id 1646/11
> 000649: Apr 27 22:34:13.771 Eastern: RADIUS(00000006): Started 5 sec
> timeout
> 000650: Apr 27 22:34:18.795 Eastern: RADIUS(00000006): Request timed out
> 000651: Apr 27 22:34:18.795 Eastern: RADIUS: acct-delay-time for 800043CC
> (at 80004420) now 9
> 000652: Apr 27 22:34:18.795 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
> for id 1646/11
> 000653: Apr 27 22:34:18.795 Eastern: RADIUS(00000006): Started 5 sec
> timeout
> 000654: Apr 27 22:34:23.403 Eastern: RADIUS(00000006): Request timed out
> 000655: Apr 27 22:34:23.403 Eastern: RADIUS: acct-delay-time for 800043CC
> (at 80004420) now 14
> 000656: Apr 27 22:34:23.403 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
> for id 1646/11
> 000657: Apr 27 22:34:23.403 Eastern: RADIUS(00000006): Started 5 sec
> timeout
> 000658: Apr 27 22:34:28.107 Eastern: RADIUS(00000006): Request timed out
> 000659: Apr 27 22:34:28.107 Eastern: RADIUS: acct-delay-time for 800043CC
> (at 80004420) now 18
> 000660: Apr 27 22:34:28.107 Eastern: RADIUS: No response from (
> 10.0.0.1:1812,1813) for id 1646/11
> 000661: Apr 27 22:34:28.107 Eastern: RADIUS/DECODE: parse response no app
> start; FAIL
> 000662: Apr 27 22:34:28.107 Eastern: RADIUS/DECODE: parse response; FAIL
>
> 000765: Apr 27 22:43:56.532 Eastern: RADIUS: acct-delay-time for 80002DEC
> (at 80002E40) now 4
> 000766: Apr 27 22:43:56.532 Eastern: RADIUS: Retransmit to (10.0.0.1:1812,1813)
> for id 1646/13
> 000767: Apr 27 22:43:56.532 Eastern: RADIUS(00000007): Started 5 sec
> timeout
>
> Any ideas are appreciated!
>

I did a packet capture and I see the switch attempting to start the
accounting session.

sudo tshark -f 'port 1813' -n -i enx00e04c680daa
Capturing on 'enx00e04c680daa'
   1 0.000000000     10.1.1.1 → 10.0.0.1     RADIUS 132 Accounting-Request
id=1
   2 4.407728279     10.1.1.1 → 10.0.0.1     RADIUS 132 Accounting-Request
id=1
   3 9.431961736     10.1.1.1 → 10.0.0.1     RADIUS 132 Accounting-Request
id=1
   4 14.080108520     10.1.1.1 → 10.0.0.1     RADIUS 132 Accounting-Request
id=1



> Thanks
>
> Tim
>


-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀

More information about the Freeradius-Users mailing list