How to configure COA in freeRadius

classic Classic list List threaded Threaded
13 messages Options
| Threaded
Open this post in threaded view
|

How to configure COA in freeRadius

ulislam.raihan
HI ,

I have put the following COA list in authorization section of default file. The default file is /etc/freeradius/sits-available to enable the COA request.
update coa{
          User-Name="%{User-Name}"
          Acct-Session-Id="%Acct-Session-Id"
          NAS-IP-Address="%NAS-IP-Address"
          Packet-Dst-Port=4200
}

I am sending Access-Request from my java program and listening to port 4200. I am getting success Access-Accept . but i am not getting any COA request instead i have seen following error "Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request."

Can any one tell me wht i have to configure more or what is the problem ?

The output from radius server is below

rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1, length=59
    User-Name = "testing"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 4200
    User-Password = "password"
Thu Apr  5 13:49:52 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Apr  5 13:49:52 2012 : Info: +- entering group authorize {...}
Thu Apr  5 13:49:52 2012 : Info: ++[preprocess] returns ok
Thu Apr  5 13:49:52 2012 : Info: ++[chap] returns noop
Thu Apr  5 13:49:52 2012 : Info: ++[mschap] returns noop
Thu Apr  5 13:49:52 2012 : Info: ++[digest] returns noop
Thu Apr  5 13:49:52 2012 : Info: [suffix] No '@' in User-Name = "testing", looking up realm NULL
Thu Apr  5 13:49:52 2012 : Info: [suffix] No such realm "NULL"
Thu Apr  5 13:49:52 2012 : Info: ++[suffix] returns noop
Thu Apr  5 13:49:52 2012 : Info: [eap] No EAP-Message, not doing EAP
Thu Apr  5 13:49:52 2012 : Info: ++[eap] returns noop
Thu Apr  5 13:49:52 2012 : Info: [files] users: Matched entry testing at line 49
Thu Apr  5 13:49:52 2012 : Info: ++[files] returns ok
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: %{User-Name} -> testing
Thu Apr  5 13:49:52 2012 : Info: [sql] sql_set_user escaped user --> 'testing'
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 0
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'testing'           ORDER BY id
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'testing'           ORDER BY id
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'testing'           ORDER BY priority
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'testing'           ORDER BY priority
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql (sql): Released sql socket id: 0
Thu Apr  5 13:49:52 2012 : Info: [sql] User testing not found
Thu Apr  5 13:49:52 2012 : Info: ++[sql] returns notfound
Thu Apr  5 13:49:52 2012 : Info: ++[expiration] returns noop
Thu Apr  5 13:49:52 2012 : Info: ++[logintime] returns noop
Thu Apr  5 13:49:52 2012 : Info: ++[pap] returns updated
Thu Apr  5 13:49:52 2012 : Info:     expand: %{User-Name} -> testing
Thu Apr  5 13:49:52 2012 : Info:     expand: %{Acct-Session-Id} ->
Thu Apr  5 13:49:52 2012 : Info:     expand: %{NAS-IP-Address} -> 127.0.0.1
Thu Apr  5 13:49:52 2012 : Debug: WARNING: You are modifying the value of virtual attribute Packet-Dst-Port.  This is not supported.
Thu Apr  5 13:49:52 2012 : Info: ++[coa] returns updated
Thu Apr  5 13:49:52 2012 : Info: Found Auth-Type = PAP
Thu Apr  5 13:49:52 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Apr  5 13:49:52 2012 : Info: +- entering group PAP {...}
Thu Apr  5 13:49:52 2012 : Info: [pap] login attempt with password "password"
Thu Apr  5 13:49:52 2012 : Info: [pap] Using clear text password "password"
Thu Apr  5 13:49:52 2012 : Info: [pap] User authenticated successfully
Thu Apr  5 13:49:52 2012 : Info: ++[pap] returns ok
Thu Apr  5 13:49:52 2012 : Auth: Login OK: [testing/password] (from client localhost port 4200)
Thu Apr  5 13:49:52 2012 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Thu Apr  5 13:49:52 2012 : Info: +- entering group post-auth {...}
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: %{User-Name} -> testing
Thu Apr  5 13:49:52 2012 : Info: [sql] sql_set_user escaped user --> 'testing'
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: %{User-Password} -> password
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: INSERT INTO radpostauth                           (username, pass, reply, authdate,ip,webport,mediaport)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}:-%{Role2}', '%S','%{IP}','%{WEBPORT}','%{MEDIAPORT}') -> INSERT INTO radpostauth                           (username, pass, reply, authdate,ip,webport,mediaport)                           VALUES (                           'testing',                           'password',                           'Access-Accept:-', '2012-04-05 13:49:52','','','')
Thu Apr  5 13:49:52 2012 : Info: [sql]     expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate,ip,webport,mediaport)                           VALUES (                           'testing',                           'password',                           'Access-Accept:-', '2012-04-05 13:49:52','','','')
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 4
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql_mysql: query:  INSERT INTO radpostauth                           (username, pass, reply, authdate,ip,webport,mediaport)                           VALUES (                           'testing',                           'password',                           'Access-Accept:-', '2012-04-05 13:49:52','','','')
Thu Apr  5 13:49:52 2012 : Debug: rlm_sql (sql): Released sql socket id: 4
Thu Apr  5 13:49:52 2012 : Info: ++[sql] returns ok
Thu Apr  5 13:49:52 2012 : Info: ++[exec] returns noop
Sending Access-Accept of id 1 to 127.0.0.1 port 57378
    Role = "http://www.freeradius.org/rfc/attributes.html"
    Role2 = "Home A"
Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request.
Thu Apr  5 13:49:52 2012 : Info: Do CoA Fail handler here
Thu Apr  5 13:49:52 2012 : Info: Finished request 2.
Thu Apr  5 13:49:52 2012 : Debug: Going to the next request
Thu Apr  5 13:49:52 2012 : Debug: Waking up in 4.9 seconds.
Thu Apr  5 13:49:57 2012 : Info: Cleaning up request 2 ID 1 with timestamp +1160
Thu Apr  5 13:49:57 2012 : Info: Ready to process requests

Thanks
raihan
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

Alan DeKok-2
ulislam.raihan wrote:

> I have put the following COA list in authorization section of default file.
> The default file is /etc/freeradius/sits-available to enable the COA
> request.
> update coa{
>           User-Name="%{User-Name}"
>           Acct-Session-Id="%Acct-Session-Id"
>           NAS-IP-Address="%NAS-IP-Address"
>           Packet-Dst-Port=4200
> }
>
> I am sending Access-Request from my java program and listening to port 4200.
> I am getting success Access-Accept . but i am not getting any COA request
> instead i have seen following error "Info: WARNING: Unknown destination
> 127.0.0.1:4200 for CoA request."

  read raddb/sites-available/originate-coa

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
Hi Alan,

I must be very dumb ..i have read that document several times. But can you clear me one thing for the freeradius to sent COA request to other client one need to configure a virtual server

Thanks
raihan
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

Alan DeKok-2
ulislam.raihan wrote:
> I must be very dumb ..i have read that document several times. But can you
> clear me one thing for the freeradius to sent COA request to other client
> one need to configure a virtual server

  If you're going to use CoA, it would be a good idea to follow the
existing examples.

  Perhasp you could try using the originate-coa example, rather than
ignoring it?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
If NAS and  Freeradius server is in same PC . Then freeradius will send COA request to NAS in which port?

Thanks
Raihan

| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

Alan DeKok-2
ulislam.raihan wrote:
> If NAS and  Freeradius server is in same PC . Then freeradius will send COA
> request to NAS in which port?

  This is documented.  You were told which file to read.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
Hi Alan ,
The document says
"The default destination of a CoA packet is the NAS (or client)
#  the sent the original Access-Request or Accounting-Request.
"

So in the Access-Request it is mentioned as shown in below

rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1, length=59
    User-Name = "testing"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 4200
    User-Password = "password"

But then why it is showing "Unknown destination".  The log from the  radiusd shows below.
Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200 for CoA request.
Thu Apr  5 13:49:52 2012 : Info: Do CoA Fail handler here

I have check with the netstat command in the OS  that a java program is listening to the port 4200.

Do i have to configure the NAS client IP and port in home_server section of originate-coa file ?

Thanks for your pa┬Ětience
Best Reagards
Raihan
Alan DeKok-2 wrote
ulislam.raihan wrote:
> If NAS and  Freeradius server is in same PC . Then freeradius will send COA
> request to NAS in which port?

  This is documented.  You were told which file to read.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
Hi Alan ,

Just want to add Current configuration in originate-coa  file is below . It is the default configuration i did not change it.

home_server localhost-coa {
        type = coa

        #
        #  Note that a home server of type "coa" MUST be a real NAS,
        #  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
        #  server.
        #
        ipaddr = 127.0.0.1
        port = 3799

        #  This secret SHOULD NOT be the same as the shared
        #  secret in a "client" section.
        secret = testing1234

        #  CoA specific parameters.  See raddb/proxy.conf for details.
        coa {
                irt = 2
                mrt = 16
                mrc = 5
                mrd = 30
        }
}

And in the clients.conf i did not enable the "# coa_server = coa". Because i did not want the freeradius server recieve the COA Request. I hope my understanding is right.

Thanks for your patience
Best Reagards
Raihan
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

Alan DeKok-2
In reply to this post by ulislam.raihan
ulislam.raihan wrote:
> Hi Alan ,
> The document says
> "/The default destination of a CoA packet is the NAS (or client)
> #  the sent the original Access-Request or Accounting-Request./"

  Yes.  To the *IP* of the NAS.  But which port?

> So in the Access-Request it is mentioned as shown in below
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1,
> length=59
>     User-Name = "testing"
>     NAS-IP-Address = 127.0.0.1
>     NAS-Port = 4200

  The NAS-Port is *not* the CoA port.

>     User-Password = "password"
>
> But then why it is showing "Unknown destination".  The log from the  radiusd
> shows below.
> Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200
> for CoA request.

  Yes... because you didn't configure the shared secret for CoA.

> I have check with the netstat command in the OS  that a java program is
> listening to the port 4200.

  That doesn't matter.

> Do i have to configure the NAS client IP and port in home_server section of
> originate-coa file ?

  That's what the documentation says.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan

Alan DeKok-2 wrote

>
> ulislam.raihan wrote:
>> Hi Alan ,
>> The document says
>> "/The default destination of a CoA packet is the NAS (or client)
>> #  the sent the original Access-Request or Accounting-Request./"
>
>   Yes.  To the *IP* of the NAS.  But which port?
> To Alan>> That was my question in previous mail. So i have to mention the
> CoA port in home_server section of originate-coa file . If my
> understanding is right
>
>> So in the Access-Request it is mentioned as shown in below
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1,
>> length=59
>>     User-Name = "testing"
>>     NAS-IP-Address = 127.0.0.1
>>     NAS-Port = 4200
>
>   The NAS-Port is *not* the CoA port.
>
>>     User-Password = "password"
>>
>> But then why it is showing "Unknown destination".  The log from the
>> radiusd
>> shows below.
>> Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination
>> 127.0.0.1:4200
>> for CoA request.
>
>   Yes... because you didn't configure the shared secret for CoA.
> To Alan>> where i configure the secret for CoA? I hope in clients.conf.
> Then it will look like this
> client 127.0.01 {
> secret = testing123-2
> shortname = private-network-2
>         coa_server = localhost-coa
> }
>
> and in originate-coa  the configuration will be
> home_server localhost-coa {
> type = coa
>
> #
> #  Note that a home server of type "coa" MUST be a real NAS,
> #  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
> #  server.
> #
> ipaddr = 127.0.0.1
> port = 4200
>
> #  This secret SHOULD NOT be the same as the shared
> #  secret in a "client" section.
> secret = testing1234
>
> #  CoA specific parameters.  See raddb/proxy.conf for details.
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> }
>
>> I have check with the netstat command in the OS  that a java program is
>> listening to the port 4200.
>
>   That doesn't matter.
>
>> Do i have to configure the NAS client IP and port in home_server section
>> of
>> originate-coa file ?
>
>   That's what the documentation says.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
Quoted from:
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html

--
View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622416.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
In reply to this post by Alan DeKok-2
Hi Alan ,

That was my question in second post. So i have to mention the CoA port in home_server section of originate-coa file . If my understanding is right

Where i configure the secret for CoA? I hope in clients.conf. Then it will look like this
client 127.0.01 {
        secret = testing123-2
        shortname = private-network-2
        coa_server = localhost-coa
}

and in originate-coa  the configuration will be
home_server localhost-coa {
        type = coa

        #
        #  Note that a home server of type "coa" MUST be a real NAS,
        #  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
        #  server.
        #
        ipaddr = 127.0.0.1
        port = 4200

        #  This secret SHOULD NOT be the same as the shared
        #  secret in a "client" section.
        secret = testing1234

        #  CoA specific parameters.  See raddb/proxy.conf for details.
        coa {
                irt = 2
                mrt = 16
                mrc = 5
                mrd = 30
        }
}

Thanks again..

Best regards
Raihan
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

Alan DeKok-2
In reply to this post by ulislam.raihan
ulislam.raihan wrote:
> Quoted from:
> http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html

  If you're going to insist on being obtuse, you can be unsubscribed and
banned.

  You either didn't read the configuration you posted, or you didn't
understand it.

  You're sending packets to port 4200, but the default configuration
uses 3799.  Perhaps this could be a problem?

  What *additional* documentation do we need to write so that you will
understand "destination port" means "destination port", and not "magical
thing I'm supposed to not touch"?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to configure COA in freeRadius

ulislam.raihan
Hi Alan,

Thanks for your advice. I was actually confused with home server. Does it refer to virtual server or NAS ?
Its now clear and i have solved the problem  i added the originate-coa in the radiusd.conf. Now freeradius is sending the request to port.

Thanks
Raihan