Radius Accounting for WIfif

fpvflyer

I have freeradius setup and running working with authentication, the issue i am having is accounting. My AP's are sending all of the data and the accounting server is sending response 5, , but it is not recording the data. I am not using a DB for this just the flat file. using radwho shows no information, there are no errors in the log and my pcaps look fine. Any insight or paths to look into?

19:33:30.880234 68:d7:9a:31:ff:05 > 00:15:17:d2:34:b5, ethertype IPv4 (0x0800), length 263: (tos 0x0, ttl 64, id 39288, offset 0, flags [none], proto UDP (17), length 249)
    192.168.1.101.54126 > 192.168.1.1.1813: [udp sum ok] RADIUS, length: 221
	Accounting-Request (4), id: 0x89, Authenticator: d23c2981c16df435a4a3fad32976ad77
	  Acct-Status-Type Attribute (40), length: 6, Value: Start
	    0x0000:  0000 0001
	  Acct-Authentic Attribute (45), length: 6, Value: RADIUS
	    0x0000:  0000 0001
	  User-Name Attribute (1), length: 17, Value: loginname
	    0x0000:  636f 6d70 7574 6572 7465 6368 6965 73
	  NAS-IP-Address Attribute (4), length: 6, Value: 192.168.1.101
	    0x0000:  ac14 0a65
	  Framed-IP-Address Attribute (8), length: 6, Value: 192.168.1.160
	    0x0000:  ac14 0aa0
	  NAS-Identifier Attribute (32), length: 14, Value: 6bd79a31sd33
	    0x0000:  3661 6437 3961 3331 6666 3037
	  Called-Station-Id Attribute (30), length: 26, Value: 6B-D7-9A-31-SD-33:wifi1
	    0x0000:  3641 2d44 372d 3941 2d33 312d 4646 2d30
	    0x0010:  373a 4e44 4553 2d54
	  NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11
	    0x0000:  0000 0013
	  Service-Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Calling-Station-Id Attribute (31), length: 19, Value: 58-FB-84-18-24-9B
	    0x0000:  3538 2d46 422d 3834 2d31 382d 3234 2d39
	    0x0010:  42
	  Connect-Info Attribute (77), length: 23, Value: CONNECT 0Mbps 802.11a
	    0x0000:  434f 4e4e 4543 5420 304d 6270 7320 3830
	    0x0010:  322e 3131 61
	  Acct-Session-Id Attribute (44), length: 18, Value: 0157E5EE7393E196
	    0x0000:  3031 3537 4535 4545 3733 3933 4531 3936
	  Acct-Multi-Session-Id Attribute (50), length: 18, Value: 53D091AB57DD570E
	    0x0000:  3533 4430 3931 4142 3537 4444 3537 3045
	  Unknown Attribute (186), length: 6, Value: 
	    0x0000:  000f ac04
	  Unknown Attribute (187), length: 6, Value: 
	    0x0000:  000f ac04
	  Unknown Attribute (188), length: 6, Value: 
	    0x0000:  000f ac01
	  Event-Timestamp Attribute (55), length: 6, Value: Tue Aug 23 19:33:30 2022
	    0x0000:  6305 63ca
	  Acct-Delay-Time Attribute (41), length: 6, Value: 00 secs
	    0x0000:  0000 0000
19:33:30.880858 00:15:17:d2:34:b5 > 68:d7:9a:31:ff:05, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 64, id 8352, offset 0, flags [none], proto UDP (17), length 48)
    192.168.1.1.1813 > 192.168.1.101.54126: [bad udp cksum 0x76bc -> 0x91da!] RADIUS, length: 20
	Accounting-Response (5), id: 0x89, Authenticator: 66775926172b5d033cc0d38ed714fbfb

stephenw10

How is Freeradius configured? I assume it's setup for accounting?

Steve

fpvflyer

@stephenw10

Yes I have an accounting interface setup on 1813 and it is configure for accounting. Could i be missing anything?

/usr/local/etc/raddb/sites-enabled/default
server default {
listen {
	type = auth
	ipaddr = *
	port = 1812
}
listen {
	type = acct
	ipaddr = *
	port = 1813
}

authorize {
#	filter_username
#	filter_password
	preprocess
#	operator-name
#	cui
##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####
#	auth_log
	chap
	mschap
	digest
#	wimax
#	IPASS
	suffix
	ntdomain
	eap {
		ok = return
#		updated = return
	}
#	unix
	files
	if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
			### sql DISABLED ###
	if (true) {

			### ldap ###
			if (notfound || noop) {
				reject
			}
		}
	}
	
	-daily
	-weekly
	-monthly
	-forever
	# Formerly checkval
	if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
		ok
	}
	expiration
	logintime
	pap
	Autz-Type Status-Server {

	}
}

authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	mschap
	Auth-Type MOTP {
		motp
	}
	Auth-Type GOOGLEAUTH {
		googleauth
	}
	digest
#	pam
#	unix

	#Auth-Type LDAP {
		#ldap
		#### ldap2 disabled ###
	#}

	eap
#	Auth-Type eap {
#		eap {
#			handled = 1
#		}
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
#			attr_filter.access_challenge.post-auth
#			handled  # override the "updated" code from attr_filter
#		}
#	}
}

preacct {
	preprocess
##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####
#	acct_counters64
	update request {
		&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
	}
acct_unique
#	IPASS
	suffix
	ntdomain
	files
}

accounting {
#	cui
	detail
	### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates
	if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
		datacounterdaily
		datacounterweekly
		datacountermonthly
		datacounterforever
	}
#	unix
	radutmp
#	sradutmp
#	main_pool
	### sql DISABLED ###
	daily
	weekly
	monthly
	forever
#	if (noop) {
#		ok
#	}
#	pgsql-voip
	exec
	attr_filter.accounting_response
	Acct-Type Status-Server {

	}
}

session {
#	radutmp
	radutmp
}

post-auth {
#	if (!&reply:State) {
#		update reply {
#			State := "0x%{randstr:16h}"
#		}
#	}
	update {
		&reply: += &session-state:
	}
#	main_pool
#	cui
#	reply_log
### sql DISABLED ###
#	ldap
	exec
#	wimax
#	update reply {
#		Reply-Message += "%{TLS-Cert-Serial}"
#		Reply-Message += "%{TLS-Cert-Expiration}"
#		Reply-Message += "%{TLS-Cert-Subject}"
#		Reply-Message += "%{TLS-Cert-Issuer}"
#		Reply-Message += "%{TLS-Cert-Common-Name}"
#		Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
#		Reply-Message += "%{TLS-Client-Cert-Serial}"
#		Reply-Message += "%{TLS-Client-Cert-Expiration}"
#		Reply-Message += "%{TLS-Client-Cert-Subject}"
#		Reply-Message += "%{TLS-Client-Cert-Issuer}"
#		Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#		Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
#	}
#	insert_acct_class
#	if (&reply:EAP-Session-Id) {
#		update reply {
#			EAP-Key-Name := &reply:EAP-Session-Id
#		}
#	}
	remove_reply_message_if_eap
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
		# sql
		attr_filter.access_reject
		eap
		remove_reply_message_if_eap
	}
	Post-Auth-Type Challenge {

	}
}

pre-proxy {
#	operator-name
#	cui
#	files
	attr_filter.pre-proxy
#	pre_proxy_log
}

post-proxy {

#	post_proxy_log
	attr_filter.post-proxy
	eap
#	Post-Proxy-Type Fail-Accounting {
#			detail
#	}
}
}

stephenw10

This is probably not wireless specific. Can you test with any other radius client? OpenVPN perhaps?

fpvflyer

@stephenw10

Unfortunately it is the same thing, i get a response code of 5 from Radius but nothing is logged for accounting

stephenw10

Hmm, what pfSense and Freeradius package version is this?

fpvflyer

@stephenw10

22.01 on pfsense and 0.15.7_33 for freeadius