Re: [Radiusplugin-users] #2 Accounting

radiusplugin-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] #2 Accounting

From:	Ralf Lübben
Subject:	Re: [Radiusplugin-users] #2 Accounting
Date:	Wed, 28 Sep 2011 19:29:21 +0200
User-agent:	KMail/1.13.6 (Linux/2.6.38-11-generic; KDE/4.6.2; i686; ; )
Hi,

yes the values are read from the status.log file.

Actually I don't know what OpenVPN is counting.

Regards,
Ralf


Am Montag, 26. September 2011, 13:56:36 schrieb Eike Lohmann:
> Hi,
> 
> I have not fround any information on this and got no response from the
> openvpn userlist, so I will try it also in this list a 2nd and last time.
> 
> ACCTINPUTOCTETS and ACCTOUTPUTOCTETS where does the counters came from?
> Do you take the count from status.log (Bytes Send / Received)?
> Do you know what the openvpn guys are counting and where, before the
> tunnel, inside the tunnel, after compression, with or without openvpn
> encryption etc.
> 
> I am wondering about some tests I have made, the count from radiusplugin
> seems not to be the payload transfered through the tunnel.
> 
> Regards, Eike
> 
> Am 29.08.2011 18:54, schrieb Ralf Lübben:
> > Hi,
> > 
> > the CVS also contains the getTime()/replace fix, now.
> > 
> > Ralf
> > 
> > Am Montag, 29. August 2011, 18:31:47 schrieben Sie:
> >> Hi Ralf,
> >> 
> >> Sorry, I didn't even notice the CVS has this fix.
> >> 
> >> The CVS version works fine except for the new line problem caused by
> >> replace in getTime() I mentioned earlier.
> >> 
> >> -----Original Message-----
> >> From: address@hidden
> >> [mailto:address@hidden
> >> On Behalf Of Ralf Lübben
> >> Sent: 29 August 2011 16:27
> >> To: address@hidden
> >> Subject: Re: [Radiusplugin-users] username-as-common-name
> >> 
> >> Hi,
> >> 
> >> the CVS version has a similar fix, can you try it?
> >> 
> >> Ralf
> >> 
> >> Am Sonntag, 28. August 2011, 20:29:01 schrieb Dequan:
> >>> Sorry that I keep posting over myself, but my proposed fix of swapping
> >>> the
> >>> 
> >>> if statements to ensure:
> >>>   user->setCommonname ( get_env ( "common_name", envp ) );
> >>> 
> >>> is run before
> >>> 
> >>>   user->setCommonname ( get_env ( "username", envp ) );
> >>> 
> >>> is working and allows proper accounting functioning of
> >>> username-as-common-name.
> >>> 
> >>> Below is a link to a diff which hopefully you may find useful.
> >>> 
> >>> http://pastebin.com/98L6JzbZ
> >>> 
> >>> Thanks Ralf.
> >>> 
> >>> -----Original Message-----
> >>> From: Dequan [mailto:address@hidden
> >>> Sent: 28 August 2011 18:02
> >>> To: address@hidden
> >>> Subject: RE: username-as-common-name
> >>> 
> >>> From the log output, I am assuming that the common name isn't being
> >>> rewritten as the username -- as the StatusFileKey still refers to the
> >>> certificate common name and not the username for accounting updates.
> >>> 
> >>>   Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:
> >>> Scheduler: Update for User phantomkevin.
> >>> 
> >>>   ...
> >>>   Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No
> >>> 
> >>> accounting data was found for bob, 114.91.48.36:2671.
> >>> 
> >>> Having a quick look for radiusplugin.cpp, I see the section relating to
> >>> 
> >>> getUsernameAsCommonname:
> >>>     //rewrite the username if OpenVPN use the option
> >>> 
> >>> username-as-comon-name
> >>> 
> >>>     if ( context->conf.getUsernameAsCommonname() == true )
> >>>     {
> >>>     
> >>>         if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
> >>> 
> >>> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
> >>> 
> >>>         user->setCommonname ( get_env ( "username", envp ) );
> >>>     
> >>>     }
> >>>     if ( get_env ( "common_name", envp ) !=NULL )
> >>>     {
> >>>     
> >>>         user->setCommonname ( get_env ( "common_name", envp ) );
> >>>     
> >>>     }
> >>> 
> >>> Out of curiosity, should these 2 IFs not be the other way around like
> >>> so?
> >>> 
> >>>     if ( get_env ( "common_name", envp ) !=NULL )
> >>>     {
> >>>     
> >>>         user->setCommonname ( get_env ( "common_name", envp ) );
> >>>     
> >>>     }
> >>>     if ( context->conf.getUsernameAsCommonname() == true )
> >>>     {
> >>>     
> >>>         if ( DEBUG ( context->getVerbosity() ) ) cerr << getTime() <<
> >>> 
> >>> "RADIUS-PLUGIN: FOREGROUND: Commonname set to Username\n";
> >>> 
> >>>         user->setCommonname ( get_env ( "username", envp ) );
> >>>     
> >>>     }
> >>> 
> >>> Surely the first code snippet would always end up setting the common
> >>> name as the certificate common name, even if getUsernameAsCommonname()
> >>> == true? Unless this was deliberate because OpenVPN does something odd
> >>> -- like not set the common name if username-as-common-name is set in
> >>> the config file?
> >>> 
> >>> 
> >>> -----Original Message-----
> >>> From: Dequan [mailto:address@hidden
> >>> Sent: 28 August 2011 17:19
> >>> To: address@hidden
> >>> Subject: username-as-common-name
> >>> 
> >>> Hi Ralf,
> >>> 
> >>> I have set my OpenVPN server to use --duplicate-cn and
> >>> --username-as-common-name, however Radiusplugin still tries to get
> >>> accounting packets under the certificate common name.
> >>> 
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
> >>> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
> >>> Username
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> >>> 114.91.48.36:2671.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: New user:
> >>> username: Sun Aug 28 17:04:59 2011 us=99952 114.91.48.36:2671 Client
> >>> random2: db1d02c5 8179dd65 7daf5d38 bbcfcfe3 e4365c24 dd9bfc41 92b9d89d
> >>> 08ecf979
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND  AUTH: New user
> >>> auth: username: phantomkevin, password: *****, calling station:
> >>> 114.91.48.36, commonname: bob.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: radius_server().
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Build password packet: 
> >>> password: *****, sharedSecret: *****.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Send packet to 127.0.0.1.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Get ACCESS_ACCEPT-Packet.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: parse_response_packet().
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: routes: .
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: framed ip: .
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND AUTH: Acct Interim
> >>> Interval: 60.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Client config file was not
> >>> written, overwriteccfiles is false
> >>> .Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUNDRADIUS-PLUGIN:
> >>> FOREGROUND THREAD: Authentication succeeded!
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received
> >>> routes for user: .
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Received
> >>> framed ip for user: .
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Receive
> >>> acctinteriminterval 60 sec from backgroundprocess.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Add user to
> >>> map.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: Write 1 to auth_control_file
> >>> /tmp/openvpn/ifconfig/openvpn_acf_8b7a7f29b1867a8a8ac789de86e93ae2.tmp.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for
> >>> new user.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND:
> >>> OPENVPN_PLUGIN_CLIENT_CONNECT is called.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Commonname set to
> >>> Username
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Key:
> >>> 114.91.48.36:2671.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Set FramedIP to the
> >>> IP (10.100.0.5) OpenVPN assigned to the user phantomkevin
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
> >>> accounting: username: phantomkevin, commonname: bob
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Get a command.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New User.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: New user acct:
> >>> username: phantomkevin, interval: 60, calling station: 114.91.48.36,
> >>> commonname: bob, framed ip: 10.100.0.5.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:  Get
> >>> ACCOUNTING_RESPONSE-Packet.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Start packet
> >>> was send.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND ACCT: User was added
> >>> to accounting scheduler.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: BACKGROUND-ACCT:  No routes for
> >>> user.
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Accounting
> >>> succeeded!
> >>> 
> >>> As you may be able to see, radiusplugin correctly detects
> >>> username-as-common-name, however when adding the user to accounting, it
> >>> still uses commonname = bob:
> >>> 
> >>> Sun Aug 28 17:04:59 2011 RADIUS-PLUGIN: FOREGROUND: Add user for
> >>> accounting: username: phantomkevin, commonname: bob
> >>> 
> >>> This results in the log file filling up with accounting requests such
> >>> as the below:
> >>> 
> >>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> >>> Update for User phantomkevin.
> >>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: Scheduler:
> >>> Read Statusfile.
> >>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND ACCT: No accounting
> >>> data was found for bob, 114.91.48.36:2671.
> >>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Get
> >>> ACCOUNTING_RESPONSE-Packet.
> >>> Sun Aug 28 17:05:03 2011 RADIUS-PLUGIN: BACKGROUND-ACCT: Scheduler:
> >>> Update packet for User phantomkevin was send.
> >>> 
> >>> Which shows that it is trying to look up accounting data of the
> >>> certificate common name -- bob, not the common on name -- phantomkevin
> >>> in this example.
> >>> 
> >>> I am using the latest version -- radiusplugin_v2.1a_beta1 with the
> >>> following settings:
> >>> 
> >>> Overwriteccfiles=true
> >>> Useauthcontrolfile=true
> >>> Accountingonly=false
> >>> Nonfatalaccounting=false
> >>> 
> >>> Any idea what is causing this?
> >>> 
> >>> 
> >>> _______________________________________________
> >>> Radiusplugin-users mailing list
> >>> address@hidden
> >>> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >> 
> >> _______________________________________________
> >> Radiusplugin-users mailing list
> >> address@hidden
> >> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> > 
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> 
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/radiusplugin-users
[Prev in Thread]
Current Thread
[Next in Thread]
[Radiusplugin-users] #2 Accounting, Eike Lohmann, 2011/09/26
- Re: [Radiusplugin-users] #2 Accounting, Ralf Lübben <=
Prev by Date: [Radiusplugin-users] #2 Accounting
Previous by thread: [Radiusplugin-users] #2 Accounting
Index(es):
- Date
- Thread