[Radiusplugin-users] #2 Accounting

[Eike Lohmann]

Hi,

I have not fround any information on this and got no response from the openvpn
userlist, so I will try it also in this list a 2nd and last time.

ACCTINPUTOCTETS and ACCTOUTPUTOCTETS where does the counters came from?
Do you take the count from status.log (Bytes Send / Received)?
Do you know what the openvpn guys are counting and where, before the tunnel,
inside the tunnel, after compression, with or without openvpn encryption etc.

I am wondering about some tests I have made, the count from radiusplugin seems
not to be the payload transfered through the tunnel.

Regards, Eike



Am 29.08.2011 18:54, schrieb Ralf Lübben:
> Hi,
>
> the CVS also contains the getTime()/replace fix, now.
>
> Ralf
>
> Am Montag, 29. August 2011, 18:31:47 schrieben Sie:
>> Hi Ralf,
>>
>> Sorry, I didn't even notice the CVS has this fix.
>>
>> The CVS version works fine except for the new line problem caused by
>> replace in getTime() I mentioned earlier.
>>
>> -----Original Message-----
>> From: address@hidden
>> [mailto:address@hidden On
>> Behalf Of Ralf Lübben
>> Sent: 29 August 2011 16:27
>> To: address@hidden
>> Subject: Re: [Radiusplugin-users] username-as-common-name
>>
>> Hi,
>>
>> the CVS version has a similar fix, can you try it?
>>
>> Ralf
>>
>> Am Sonntag, 28. August 2011, 20:29:01 schrieb Dequan:
>>> Sorry that I keep posting over myself, but my proposed fix of swapping
>>> the
>>>
>>> if statements to ensure:
>>>     user->setCommonname ( get_env ( "common_name", envp ) );
>>>
>>> is run before
>>>
>>>     user->setCommonname ( get_env ( "username", envp ) );
>>>
>>> is working and allows proper accounting functioning of
>>> username-as-common-name.
>>>
>>> Below is a link to a diff which hopefully you may find useful.
>>>
>>> http://pastebin.com/98L6JzbZ
>>>
>>> Thanks Ralf.
>>>
>>> -----Original Message-----
>>> From: Dequan [mailto:address@hidden
>>> Sent: 28 August 2011 18:02
>>> To: address@hidden
>>> Subject: RE: username-as-common-name
>>>
>>> From the log output, I am assuming that the common name isn't being
>>> rewritten as the username -- as the StatusFileKey still refers to the
>>> certificate common name and not the username for accounting updates.
>>>
>>>     Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:
>>> Scheduler: Update for User phantomkevin.
>>>
>>>     ...
>>>     Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No
>>>
>>> accounting data was found for bob, 114.91.48.36:2671.
>>>
>>> Having a quick look for radiusplugin.cpp, I see the section relating to
>>>
>>> getUsernameAsCommonname:
>>>     //rewrite the username if OpenVPN use the option
>>>
>>> username-as-comon-name
>>>
>>>     if ( context->conf.getUsernameAsCommonname() == true )
>>>     {
>>>     
>>>         if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
>>>
>>> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
>>>
>>>         user->setCommonname ( get_env ( "username", envp ) );
>>>     
>>>     }
>>>     if ( get_env ( "common_name", envp ) !=NULL )
>>>     {
>>>     
>>>         user->setCommonname ( get_env ( "common_name", envp ) );
>>>     
>>>     }
>>>
>>> Out of curiosity, should these 2 IFs not be the other way around like so?
>>>
>>>     if ( get_env ( "common_name", envp ) !=NULL )
>>>     {
>>>     
>>>         user->setCommonname ( get_env ( "common_name", envp ) );
>>>     
>>>     }
>>>     if ( context->conf.getUsernameAsCommonname() == true )
>>>     {
>>>     
>>>         if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
>>>
>>> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
>>>
>>>         user->setCommonname ( get_env ( "username", envp ) );
>>>     
>>>     }
>>>
>>> Surely the first code snippet would always end up setting the common name
>>> as the certificate common name, even if getUsernameAsCommonname() ==
>>> true? Unless this was deliberate because OpenVPN does something odd --
>>> like not set the common name if username-as-common-name is set in the
>>> config file?
>>>
>>>
>>> -----Original Message-----
>>> From: Dequan [mailto:address@hidden
>>> Sent: 28 August 2011 17:19
>>> To: address@hidden
>>> Subject: username-as-common-name
>>>
>>> Hi Ralf,
>>>
>>> I have set my OpenVPN server to use --duplicate-cn and
>>> --username-as-common-name, however Radiusplugin still tries to get
>>> accounting packets under the certificate common name.
>>>
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
>>> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
>>> Username
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
>>> 114.91.48.36:2671.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
>>> username: Sun Aug 28 17:04:59 2011 us=99952 114.91.48.36:2671 Client
>>> random2: db1d02c5 8179dd65 7daf5d38 bbcfcfe3 e4365c24 dd9bfc41 92b9d89d
>>> 08ecf979
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND  AUTH: New user auth:
>>> username: phantomkevin, password: *****, calling station: 114.91.48.36,
>>> commonname: bob.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: radius_server().
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Build password packet:  password:
>>> *****, sharedSecret: *****.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Send packet to 127.0.0.1.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: parse_response_packet().
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim
>>> Interval: 60.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Client config file was not
>>> written, overwriteccfiles is false
>>> .Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUNDRADIUS-PLUGIN:
>>> FOREGROUND THREAD: Authentication succeeded!
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received
>>> routes for user: .
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received
>>> framed ip for user: .
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Receive
>>> acctinteriminterval 60 sec from backgroundprocess.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to
>>> map.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Write 1 to auth_control_file
>>> /tmp/openvpn/ifconfig/openvpn_acf_8b7a7f29b1867a8a8ac789de86e93ae2.tmp.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for
>>> new user.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
>>> OPENVPN_PLUGIN_CLIENT_CONNECT is called.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
>>> Username
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
>>> 114.91.48.36:2671.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to the
>>> IP (10.100.0.5) OpenVPN assigned to the user phantomkevin
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
>>> accounting: username: phantomkevin, commonname: bob
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct:
>>> username: phantomkevin, interval: 60, calling station: 114.91.48.36,
>>> commonname: bob, framed ip: 10.100.0.5.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:  Get
>>> ACCOUNTING_RESPONSE-Packet.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Start packet was
>>> send.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: User was added
>>> to accounting scheduler.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:  No routes for
>>> user.
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Accounting succeeded!
>>>
>>> As you may be able to see, radiusplugin correctly detects
>>> username-as-common-name, however when adding the user to accounting, it
>>> still uses commonname = bob:
>>>
>>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
>>> accounting: username: phantomkevin, commonname: bob
>>>
>>> This results in the log file filling up with accounting requests such as
>>> the below:
>>>
>>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
>>> Update for User phantomkevin.
>>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler: Read
>>> Statusfile.
>>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No accounting
>>> data was found for bob, 114.91.48.36:2671.
>>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
>>> ACCOUNTING_RESPONSE-Packet.
>>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
>>> Update packet for User phantomkevin was send.
>>>
>>> Which shows that it is trying to look up accounting data of the
>>> certificate common name -- bob, not the common on name -- phantomkevin in
>>> this example.
>>>
>>> I am using the latest version -- radiusplugin_v2.1a_beta1 with the
>>> following settings:
>>>
>>> Overwriteccfiles=true
>>> Useauthcontrolfile=true
>>> Accountingonly=false
>>> Nonfatalaccounting=false
>>>
>>> Any idea what is causing this?
>>>
>>>
>>> _______________________________________________
>>> Radiusplugin-users mailing list
>>> address@hidden
>>> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>> _______________________________________________
>> Radiusplugin-users mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users