User Tools

Site Tools


radius

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
radius [2008/06/27 12:13]
kaiab
radius [2011/04/07 20:24] (current)
faltin [Use cases]
Line 1: Line 1:
-This page is a work in progress+====== The Radius Accounting tool ======
  
-====== ​Radius ​======+{{:​tools:​radius.png}} The Radius ​accounting tool is a NAV-tool that collects accounting-data from a [[http://​www.freeradius.org/​|Freeradius-server]] and makes them available to the user through a web-frontend. The goal is to make a more accessible and user-friendly interface to the accounting data instead of having to manually look through logfiles. The frontend is divided into three tabs where you can browse different sets of data from the radius-server.
  
-Radius is a NAV-tool that collects accounting-data from a [[http://​www.freeradius.org/​|Freeradius-server]] and makes them available to the user through a web-frontend. The goal is to make a more accessible and userfriendly interface to the accounting data instead of having to manually look through logfiles. The frontend is divided into three tabs where you can browse different sets of data from the radius-server.+===== Use cases =====
  
 +  * If you have an [[http://​eduroam.org|eduroam]] wireless network all you wireless users will log in based on their radius credentials. The NAV radius accounting tool is useful for searching eduroam users.
 +  * If you use IEEE 802.1X in your wired network and thus requires users to log in to get access, the NAV radius accounting tool can track these users as well.
 ===== Accounting Log ===== ===== Accounting Log =====
  
 This tab allows you to search through the accounting log. Here you can specify and limit your search to your needs. You can search for partial matches of strings by using the wildcard-symbol *, see screenshot. This tab allows you to search through the accounting log. Here you can specify and limit your search to your needs. You can search for partial matches of strings by using the wildcard-symbol *, see screenshot.
  
-In the first drop-down menu you can tell NAV what type of data you want to search for, default is username, but you can also search for an IP-address/​hostname for a NAS (Network Access Server) or IP-address/​hostname for a usermachine,​ the final option IP-range, allows you to search through a range of user IP's by using a search-string in CIDR-format. In the Port Type dropdown menu you can limit your search to the type of the connection the user has made, options are .1x, ISDN, Modem and VPN. Time let's you specify the period to search in or a more exact timestamp to limit your search further. If you mark one or more of the DNS-lookup boxes NAV will attempt to find the hostnames ​belonging to the IP's.+In the first drop-down menu you can tell NAV what type of data you want to search for, default is username, but you can also search for an IP-address/​hostname for a NAS (Network Access Server) or IP-address/​hostname for a usermachine,​ the final option IP-range, allows you to search through a range of user IP's by using a search-string in CIDR-format. In the Port Type dropdown menu you can limit your search to the type of the connection the user has made, options are .1x, ISDN, Modem and VPN. Time let's you specify the period to search in or a more exact timestamp to limit your search further. If you mark one or more of the DNS-lookup boxes NAV will attempt to find the hostname ​belonging to the IP's.
  
 {{:​screenshot:​radius-acctsearch.png|}} {{:​screenshot:​radius-acctsearch.png|}}
Line 15: Line 17:
 By clicking on one of the hostnames or IP-addresses that turn up in the search result you will start a new search based on that. Clicking on a session ID will transport you to the session-details page. By clicking on one of the hostnames or IP-addresses that turn up in the search result you will start a new search based on that. Clicking on a session ID will transport you to the session-details page.
  
-===== Charts =====+===== Accounting ​Charts =====
  
 This tab shows a top ten table of the users who have generated the most traffic on the network in the chosen time period. You can choose to see top downloaders,​ uploaders or a composite. Due to some problems with duplicate sessions this table can not be trusted explicitly to show correct data, but it will give some indication of the traffic. This tab shows a top ten table of the users who have generated the most traffic on the network in the chosen time period. You can choose to see top downloaders,​ uploaders or a composite. Due to some problems with duplicate sessions this table can not be trusted explicitly to show correct data, but it will give some indication of the traffic.
Line 21: Line 23:
 ===== Error Log ===== ===== Error Log =====
  
-In this tab we can do searches through the messages in the freeradius error-log. You can do searches ​for different parts of the message, either the username, client, port or the whole message. Client refers to the NAS the user is connecting to, and port is the module and port-number on that device. To further refine your search, you can choose which type of error-message you are interested in, and you can choose a period or timestamp to be more accurate.+In this tab we can do searches through the error-messages in the Freeradius logfile. You can do searches ​based on different parts of the message, either the username, client, port or the whole message. Client refers to the NAS the user is connecting to, and port is the module and port-number on that device. To further refine your search, you can choose which type of log-message you are interested in, and you can choose a period or timestamp to get more precise results.
  
 The results will show a timestamp of when an error occurred, the type of the error and the error-message itself. By clicking view you can see a more detailed message-summary. The results will show a timestamp of when an error occurred, the type of the error and the error-message itself. By clicking view you can see a more detailed message-summary.
Line 27: Line 29:
 ====== Installation and configuration ====== ====== Installation and configuration ======
  
-After you have finished the installation/​upgrade of NAV, there are a couple of things that must be done manually to make the Radius-module work as intended.+After you have finished the installation/​upgrade of NAV, there are a couple of things that must be done manually to make the Radius-module work as intended. See the file ''​INSTALL''​ in the radius-directory for a step by step and updated rundown of the process.
  
-{{:radius:radiusoverview.png|Overview of the radius-module}}+===== NAS Configuration ===== 
 + 
 +Your NAS (Network Access Server) needs to be configured to enable ​radius-accounting,​ for Cisco-equipment running IOS you would do: 
 +<​code>​ 
 +aaa accounting dot1x default start-stop group radius 
 +radius-server vsa send accounting 
 +</​code>​
  
 ===== Files ===== ===== Files =====
  
-  * radius.py +{{:radius:​radiusoverview1.png?​550x700|Overview of the radius-module}}
-  * radiuslib.py +
-  * radius_config.py+
  
-  * radiusparser.py +  * ''​radius.py''​ - This is the main script, takes care of the communication between database and frontend. 
-  * postgresql.conf+  * ''​radiuslib.py''​ - Contains assorted helper-functions. 
 +  * ''​radius_config.py''​ - Just another config-file. 
 +  * ''​radiusparser.py''​ - Parses the Freeradius logfile ''​radius.log''​ and inserts data into the database. 
 +  * Various ''​.tmpl''​ files -  These are Cheetah-template files for the web-frontend,​ they are not very interesting. 
 +  * ''​postgresql.conf''​ and ''​radiusd.conf''​ are config-files for Freeradius.
  
 ===== Files to edit ===== ===== Files to edit =====
Line 45: Line 55:
 <​code>​ <​code>​
 host    = ""​ host    = ""​
-user    = ""​ 
 passwd ​ = ""​ passwd ​ = ""​
-db_radiuslog_table = ""​ 
 logfile = ""​ logfile = ""​
 +</​code>​
 +
 +=== radiusd.conf ===
 +This is a configuration file that you will find on your Freeradius-server. For details see the INSTALL document in the radius-directory.
 +
 +You will probably want to change <​code>​$INCLUDE ​ ${confdir}/​sql.conf</​code>​ to <​code>​$INCLUDE ​ ${confdir}/​postgresql.conf</​code>​
 +
 +Add a line that says <​code>​sql</​code>​ last in the ''​accounting{}''​ section.
 +
 +This small script needs to be defined in the ''​main{}''​ section and called from the ''​preacct{}''​ section before the ''​acct_unique''​ script. See examples in the file for where to put it.
 +<​code>​
 +attr_rewrite modify_acctsessionid {
 +            attribute = Acct-Session-Id
 +            searchin = packet
 +            searchfor = "​[0-3][0-9]\/​[0-3][0-9]\/​[0-9]{2}\ [0-2][0-9]\:​[0-5][0-9]\:​[0-5][0-9]"​
 +            replacewith = ""​
 +            append = no
 +    }
 </​code>​ </​code>​
  
 === postgresql.conf === === postgresql.conf ===
-These are the modified accounting queries, which replaces the standard ones in ''​postgresql.conf''​.+This is also a configuration file that you will find on your Freeradius-server. 
 +Below you will find the modified accounting queries, which replaces the standard ones in ''​postgresql.conf''​.\\
 <​code>​ <​code>​
  #######################################################################​  #######################################################################​
Line 133: Line 160:
  
 </​code>​ </​code>​
 +
 +====== Known Issues ======
 +
 +We've had one report where the Freeradius-server crashes when it loses connection with the postgresql-database and can no longer push accounting-messages to it. The reason for this is currently unknown, but it seems to be connected with the ''​rlm_sql''​ and ''​rlm_sql_postgresql''​ modules for freeradius.
radius.1214561638.txt.gz · Last modified: 2008/06/27 12:13 by kaiab