[SOLVED] RADIUS accounting packets seem to be broken.



  • I have been trying to get RADIUS accounting working for the last couple days with little success and after a lot of screwing around i have come to the conclusion that pfSense is sending invalid accounting packets to RADIUS.

    The issue i am having is as soon as a user logs in via CP RADIUS shows that user starts using data at a constant rate regardless of what the user is actually doing. Even if i disconnect the user from the network but leave them logged in they continue using data. The rate at which the user uses data seems to change every time the user logs in but is constant as long as the user stays logged in.

    Today i finally gave up on the RADIUS package and switched to an external RADIUS server (daloRADIUS) but the external server is showing the exact same behavior which would suggest this is an issue with pfSense itself not the radius package.

    Her is a sample of the data being sent to the external radius server.
    http://ss.brandon3055.com/umka2ly.png

    I think what may be happening is pfSense is generating an accounting packet the first minute the user is logged in then just sending the exact same packet every minute instead of generating a new one every minute.

    I still havent completely ruled out the possibility that this is a configuration issue on my end but at this point that seems unlikely. I have so far tried this with my main pfSense router and i have also setup a new clean system with  the latest pfSense release (2.3.3) both systems showed the same issue.

    If this is an issue with pfSesne i really hope it can be fixed as soon as possible because i really want to implement accounting on my network.

    Edit: You will probably want to see my Captive Portal config
    http://ss.brandon3055.com/ap8oh04.png
    http://ss.brandon3055.com/rg9stfd.png



  • It's probably the accounting updates mode, I don't know who created the Stop/Start methods and why (and most of all why one mentions FreeRADIUS, I was using FreeRADIUS with standard interim updates in 2008) but if you don't have a specific reason to use it, try with "Interim."



  • @plumbeo:

    It's probably the accounting updates mode, I don't know who created the Stop/Start methods and why (and most of all why one mentions FreeRADIUS, I was using FreeRADIUS with standard interim updates in 2008) but if you don't have a specific reason to use it, try with "Interim."

    I cant believe i did not try that! I tried pretty much everything else. But that seems to have fixed it so Thankyou! All of the documentation i read said to use Start/Stop so that probably needs to be changed.
    Im guessing this is still a bug with the Start/Stop mode so i will leave my issue open and add a note about this.

    One thing i noticed about using interim updates is the user data isnt saved to "used-octets-<username>" Its saved to "used-octets-<username>-5bd5221a55b3bbd8"  which seems to be a temporary cache file for the specific machine the user has logged in on. Once the user logs out that cache is added to the main used-octets file and deleted. This will make my scripts a little more "interesting" but shouldnt be a problem.</username></username>



  • Hi, i have a problem with accounting i’m using freeradius3 package on pfsense with MySQL database i use the same server for authorisation and accounting but accounting won’t work error in system log No Valid Radius response received plz help



  • @Aubin said in [SOLVED] RADIUS accounting packets seem to be broken.:

    problem with accounting

    Accounting what ?

    @Aubin said in [SOLVED] RADIUS accounting packets seem to be broken.:

    No Valid Radius response received

    Impossible to detail all the possible way do it wrong.

    What about showing how you set it up ?

    And why digging up very old forum posts ?



  • @Gertjan i mean accounting data usage with acctinput and acctoutput octets in radacct table
    my config looks like the following:

    /usr/local/etc/raddb/sites-enabled/default
    server default {
    listen {
    	type = auth
    	ipaddr = *
    	port = 1812
    }
    listen {
    	type = acct
    	ipaddr = *
    	port = 1813
    }
    listen {
    	type = status
    	ipaddr = *
    	port = 1816
    }
    
    authorize {
    #	filter_username
    #	filter_password
    	preprocess
    #	operator-name
    #	cui
    ##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####
    #	auth_log
    	chap
    	mschap
    	digest
    #	wimax
    #	IPASS
    	suffix
    	ntdomain
    	eap {
    		ok = return
    #		updated = return
    	}
    #	unix
    	files
    
    	redundant sql {
    		sql1
    		### sql2 DISABLED ###
    	}
    
    #	smbpasswd
    ### ldap ###
    	# Formerly checkval
    	if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
    		ok
    	}
    	expiration
    	logintime
    	pap
    	Autz-Type Status-Server {
    
    	}
    }
    
    authenticate {
    	Auth-Type PAP {
    		pap
    	}
    	Auth-Type CHAP {
    		chap
    	}
    	Auth-Type MS-CHAP {
    		mschap
    	}
    	mschap
    	Auth-Type MOTP {
    		motp
    	}
    	Auth-Type GOOGLEAUTH {
    		googleauth
    	}
    	digest
    #	pam
    #	unix
    
    	#Auth-Type LDAP {
    		#ldap
    		#### ldap2 disabled ###
    	#}
    
    	eap
    #	Auth-Type eap {
    #		eap {
    #			handled = 1
    #		}
    #		if (handled && (Response-Packet-Type == Access-Challenge)) {
    #			attr_filter.access_challenge.post-auth
    #			handled  # override the "updated" code from attr_filter
    #		}
    #	}
    }
    
    preacct {
    	preprocess
    ##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED #####
    #	acct_counters64
    	update request {
    		&FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
    	}
    acct_unique
    #	IPASS
    	suffix
    	ntdomain
    	files
    }
    
    accounting {
    #	cui
    	detail
    	### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates
    	if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
    		datacounterdaily
    		datacounterweekly
    		datacountermonthly
    		datacounterforever
    	}
    #	unix
    	radutmp
    #	sradutmp
    #	main_pool
    
    	redundant sql {
    		sql1
    		### sql2 DISABLED ###
    	}
    
    #	if (noop) {
    #		ok
    #	}
    #	pgsql-voip
    	exec
    	attr_filter.accounting_response
    	Acct-Type Status-Server {
    
    	}
    }
    
    session {
    #	radutmp
    	
    	redundant sql {
    		sql1
    		### sql2 DISABLED ###
    	}
    
    }
    
    post-auth {
    #	if (!&reply:State) {
    #		update reply {
    #			State := "0x%{randstr:16h}"
    #		}
    #	}
    	update {
    		&reply: += &session-state:
    	}
    #	main_pool
    #	cui
    #	reply_log
    
    	redundant sql {
    		sql1
    		### sql2 DISABLED ###
    	}
    
    #	ldap
    	exec
    #	wimax
    #	update reply {
    #		Reply-Message += "%{TLS-Cert-Serial}"
    #		Reply-Message += "%{TLS-Cert-Expiration}"
    #		Reply-Message += "%{TLS-Cert-Subject}"
    #		Reply-Message += "%{TLS-Cert-Issuer}"
    #		Reply-Message += "%{TLS-Cert-Common-Name}"
    #		Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
    #
    #		Reply-Message += "%{TLS-Client-Cert-Serial}"
    #		Reply-Message += "%{TLS-Client-Cert-Expiration}"
    #		Reply-Message += "%{TLS-Client-Cert-Subject}"
    #		Reply-Message += "%{TLS-Client-Cert-Issuer}"
    #		Reply-Message += "%{TLS-Client-Cert-Common-Name}"
    #		Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
    #	}
    #	insert_acct_class
    #	if (&reply:EAP-Session-Id) {
    #		update reply {
    #			EAP-Key-Name := &reply:EAP-Session-Id
    #		}
    #	}
    	remove_reply_message_if_eap
    	Post-Auth-Type REJECT {
    		# log failed authentications in SQL, too.
    		sql
    		attr_filter.access_reject
    		eap
    		remove_reply_message_if_eap
    	}
    	Post-Auth-Type Challenge {
    
    	}
    }
    
    pre-proxy {
    #	operator-name
    #	cui
    #	files
    	attr_filter.pre-proxy
    #	pre_proxy_log
    }
    
    post-proxy {
    
    #	post_proxy_log
    	attr_filter.post-proxy
    	eap
    #	Post-Proxy-Type Fail-Accounting {
    #			detail
    #	}
    }
    }
    
    /usr/local/etc/raddb/radiusd.conf
    prefix = /usr/local
    exec_prefix = ${prefix}
    sysconfdir = ${prefix}/etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = ${localstatedir}/log
    raddbdir = ${sysconfdir}/raddb
    radacctdir = ${logdir}/radacct
    name = radiusd
    confdir = ${raddbdir}
    modconfdir = ${confdir}/mods-config
    certdir = ${confdir}/certs
    cadir = ${confdir}/certs
    run_dir = ${localstatedir}/run
    db_dir = ${raddbdir}
    libdir = /usr/local/lib/freeradius-3.0.17
    pidfile = ${run_dir}/${name}.pid
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    hostname_lookups = no
    regular_expressions = yes
    extended_expressions = yes
    
    log {
    	destination = syslog
    	colourise = yes
    	file = ${logdir}/radius.log
    	syslog_facility = daemon
    	stripped_names = no
    	auth = yes
    	auth_badpass = no
    	auth_goodpass = no
    	msg_goodpass = ""
    	msg_badpass = ""
    	msg_denied = "You are already logged in - access denied"
    }
    
    checkrad = ${sbindir}/checkrad
    security {
    	allow_core_dumps = no
    	max_attributes = 200
    	reject_delay = 1
    	status_server = no
    	# Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL
    	allow_vulnerable_openssl = yes
    }
    
    $INCLUDE  clients.conf
    thread pool {
    	start_servers = 5
    	max_servers = 32
    	min_spare_servers = 3
    	max_spare_servers = 10
    	max_queue_size = 65536
    	max_requests_per_server = 0
    	auto_limit_acct = no
    }
    
    modules {
    	$INCLUDE ${confdir}/mods-enabled/
    
    }
    
    instantiate {
    	exec
    	expr
    	expiration
    	logintime
    	### Dis-/Enable sql instatiate
    
    	redundant sql {
    		sql1
    		### sql2 DISABLED ###
    	}
    
    }
    policy {
    	$INCLUDE policy.d/
    }
    $INCLUDE sites-enabled/
    
    
    /usr/local/etc/raddb/mods-enabled/sql
    
    sql sql1 {
    	database = "mysql"
    	driver = "rlm_sql_${database}"
    	dialect = "${database}"
    	server = "192.168.1.111"
    	port = 3306
    	login = "radius"
    	password = "radpass"
    	radius_db = "radius"
    	acct_table1 = "radacct"
    	acct_table2 = "radacct"
    	postauth_table = "radpostauth"
    	authcheck_table = "radcheck"
    	authreply_table = "radreply"
    	groupcheck_table = "radgroupcheck"
    	groupreply_table = "radgroupreply"
    	usergroup_table = "radusergroup"
    	read_groups = yes
    	delete_stale_sessions = yes
    	logfile = ${logdir}/sqltrace.sql
    	read_clients = yes
    	client_table = "nas"
    	pool {
    		start = ${thread[pool].start_servers}
    		min = ${thread[pool].min_spare_servers}
    		max = 5
    		spare = ${thread[pool].max_spare_servers}
    		uses = 0
    		retry_delay = 60
    		lifetime = 0
    		idle_timeout = 60
    	}
    	group_attribute = "${.:instance}-SQL-Group"
    	$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
    }
    
    code_text
    

    in system log i have the ERROR: RADIUS ACCOUNTING FAILED : No valid RADIUS responses received



  • @Aubin any solve?


Log in to reply