[SOLVED] RADIUS accounting packets seem to be broken.
-
I have been trying to get RADIUS accounting working for the last couple days with little success and after a lot of screwing around i have come to the conclusion that pfSense is sending invalid accounting packets to RADIUS.
The issue i am having is as soon as a user logs in via CP RADIUS shows that user starts using data at a constant rate regardless of what the user is actually doing. Even if i disconnect the user from the network but leave them logged in they continue using data. The rate at which the user uses data seems to change every time the user logs in but is constant as long as the user stays logged in.
Today i finally gave up on the RADIUS package and switched to an external RADIUS server (daloRADIUS) but the external server is showing the exact same behavior which would suggest this is an issue with pfSense itself not the radius package.
Her is a sample of the data being sent to the external radius server.
http://ss.brandon3055.com/umka2ly.pngI think what may be happening is pfSense is generating an accounting packet the first minute the user is logged in then just sending the exact same packet every minute instead of generating a new one every minute.
I still havent completely ruled out the possibility that this is a configuration issue on my end but at this point that seems unlikely. I have so far tried this with my main pfSense router and i have also setup a new clean system with the latest pfSense release (2.3.3) both systems showed the same issue.
If this is an issue with pfSesne i really hope it can be fixed as soon as possible because i really want to implement accounting on my network.
Edit: You will probably want to see my Captive Portal config
http://ss.brandon3055.com/ap8oh04.png
http://ss.brandon3055.com/rg9stfd.png -
It's probably the accounting updates mode, I don't know who created the Stop/Start methods and why (and most of all why one mentions FreeRADIUS, I was using FreeRADIUS with standard interim updates in 2008) but if you don't have a specific reason to use it, try with "Interim."
-
It's probably the accounting updates mode, I don't know who created the Stop/Start methods and why (and most of all why one mentions FreeRADIUS, I was using FreeRADIUS with standard interim updates in 2008) but if you don't have a specific reason to use it, try with "Interim."
I cant believe i did not try that! I tried pretty much everything else. But that seems to have fixed it so Thankyou! All of the documentation i read said to use Start/Stop so that probably needs to be changed.
Im guessing this is still a bug with the Start/Stop mode so i will leave my issue open and add a note about this.One thing i noticed about using interim updates is the user data isnt saved to "used-octets-<username>" Its saved to "used-octets-<username>-5bd5221a55b3bbd8" which seems to be a temporary cache file for the specific machine the user has logged in on. Once the user logs out that cache is added to the main used-octets file and deleted. This will make my scripts a little more "interesting" but shouldnt be a problem.</username></username>
-
Hi, i have a problem with accounting i’m using freeradius3 package on pfsense with MySQL database i use the same server for authorisation and accounting but accounting won’t work error in system log No Valid Radius response received plz help
-
@Aubin said in [SOLVED] RADIUS accounting packets seem to be broken.:
problem with accounting
Accounting what ?
@Aubin said in [SOLVED] RADIUS accounting packets seem to be broken.:
No Valid Radius response received
Impossible to detail all the possible way do it wrong.
What about showing how you set it up ?
And why digging up very old forum posts ?
-
@Gertjan i mean accounting data usage with acctinput and acctoutput octets in radacct table
my config looks like the following:/usr/local/etc/raddb/sites-enabled/default server default { listen { type = auth ipaddr = * port = 1812 } listen { type = acct ipaddr = * port = 1813 } listen { type = status ipaddr = * port = 1816 } authorize { # filter_username # filter_password preprocess # operator-name # cui ##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED ##### # auth_log chap mschap digest # wimax # IPASS suffix ntdomain eap { ok = return # updated = return } # unix files redundant sql { sql1 ### sql2 DISABLED ### } # smbpasswd ### ldap ### # Formerly checkval if (&request:Calling-Station-Id == &control:Calling-Station-Id) { ok } expiration logintime pap Autz-Type Status-Server { } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap Auth-Type MOTP { motp } Auth-Type GOOGLEAUTH { googleauth } digest # pam # unix #Auth-Type LDAP { #ldap #### ldap2 disabled ### #} eap # Auth-Type eap { # eap { # handled = 1 # } # if (handled && (Response-Packet-Type == Access-Challenge)) { # attr_filter.access_challenge.post-auth # handled # override the "updated" code from attr_filter # } # } } preacct { preprocess ##### ACCOUNTING FOR PLAIN MAC-AUTH DISABLED ##### # acct_counters64 update request { &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" } acct_unique # IPASS suffix ntdomain files } accounting { # cui detail ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) { datacounterdaily datacounterweekly datacountermonthly datacounterforever } # unix radutmp # sradutmp # main_pool redundant sql { sql1 ### sql2 DISABLED ### } # if (noop) { # ok # } # pgsql-voip exec attr_filter.accounting_response Acct-Type Status-Server { } } session { # radutmp redundant sql { sql1 ### sql2 DISABLED ### } } post-auth { # if (!&reply:State) { # update reply { # State := "0x%{randstr:16h}" # } # } update { &reply: += &session-state: } # main_pool # cui # reply_log redundant sql { sql1 ### sql2 DISABLED ### } # ldap exec # wimax # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } # insert_acct_class # if (&reply:EAP-Session-Id) { # update reply { # EAP-Key-Name := &reply:EAP-Session-Id # } # } remove_reply_message_if_eap Post-Auth-Type REJECT { # log failed authentications in SQL, too. sql attr_filter.access_reject eap remove_reply_message_if_eap } Post-Auth-Type Challenge { } } pre-proxy { # operator-name # cui # files attr_filter.pre-proxy # pre_proxy_log } post-proxy { # post_proxy_log attr_filter.post-proxy eap # Post-Proxy-Type Fail-Accounting { # detail # } } } /usr/local/etc/raddb/radiusd.conf prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run db_dir = ${raddbdir} libdir = /usr/local/lib/freeradius-3.0.17 pidfile = ${run_dir}/${name}.pid max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no regular_expressions = yes extended_expressions = yes log { destination = syslog colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = no auth_goodpass = no msg_goodpass = "" msg_badpass = "" msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = no # Disable this check since it may not be accurate due to how FreeBSD patches OpenSSL allow_vulnerable_openssl = yes } $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE ${confdir}/mods-enabled/ } instantiate { exec expr expiration logintime ### Dis-/Enable sql instatiate redundant sql { sql1 ### sql2 DISABLED ### } } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ /usr/local/etc/raddb/mods-enabled/sql sql sql1 { database = "mysql" driver = "rlm_sql_${database}" dialect = "${database}" server = "192.168.1.111" port = 3306 login = "radius" password = "radpass" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" read_groups = yes delete_stale_sessions = yes logfile = ${logdir}/sqltrace.sql read_clients = yes client_table = "nas" pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = 5 spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 60 lifetime = 0 idle_timeout = 60 } group_attribute = "${.:instance}-SQL-Group" $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } code_textin system log i have the ERROR: RADIUS ACCOUNTING FAILED : No valid RADIUS responses received
-
@Aubin any solve?
