HomeForumsOpen-Source SoftwareCoovaChilli Development

Erroneous radacct packets sent to radius server for whitelisted MAC addresses

Sun, 07/25/2010 - 05:28 — hschupp

This topic is in part in response to this topic, addressing the empty user name issue in radius accounting records. Further investigation has shown that these radacct postings with empty userid are due to whitelisted MAC addresses on the router.

IMHO the radacct message sent to the radius server in such cases is erroneous and should be corrected. Coova sends a radacct message pertaining to User-Name ‘000\000\000\000’ which is nonsensical. Freeradius is replacing this bogous user name ‘000\000\000\000’ with an empty string.
(Note: I have a screen print of a radius debug sequence, wehre this can be seen, but I am not able to attach files in this forum. On request I can provide the freeradius debug sequence that shows the original radacct accounting request packet and the replacement of ‘000\000\000\000’ by '').
I propose instead of sending a message for user ‘000\000\000\000’ who simply does not exist, the radacct message should either
• Not be sent at all, as the MAC is bypassing the login procedure anyway
• Sent with the User-Name = Null, which is its true value
• Sent with the User-Name = Calling-Station-Id, with other words the MAC address of the device (preferred option)

I propose to change coova to behave in that manner, because it allows for a ‘mixed-scenario’, that is to say a scenario where some devices are authenticated based on their MAC address, whereas others require an authentication with a user id and password. Essentially the MAC address of the authenticating device becomes the user id. This approach is much ‘friendlier’ towards radacct analysis that is assuming that the user-id of a radacct message is always filled, as in 99.9% of all cases the users are required to login with username and password. If the radacct user id is left blank then any analysis just sees these many entries with User-Name = ‘’, and assumes this is one user. It is not very practical to have some radius accounting to be done against MAC address and other against user-id.

Again, I therefore request to have the content of the radacct message changed that way. Regardless, whether this proposal is accepted or not, the message should certainly not be sent with user-name = ‘000\000\000\000’ as it is now. That has to be a bug, requiring correction.

Regards

Hanno Schupp

Interim fix for Freeradius/Mysql:

For those that cannot wait to have the function changed as per my request or in case the proposal is pushed back, what follows is an adjustment of the mysql statements used in freeradius to updated the radius accounting tables for anyone experiencing the same issue. It uses some advanced Mysql to replace an empty username with the MAC address in file /etc/freeradius/sql/mysql/mysql.conf. Just replace every occurrence of the string
'%{SQL-User-Name}'
With this string
IF('%{SQL-User-Name}' = '', '%{Calling-Station-Id}', '%{SQL-User-Name}')
That will replace an empty user name with the MAC address of the request.

What follows is some more details on the analysis on what is happening on the router and in freeradius
Below is the output of chilli_query list you can see there is the device with MAC 00-24-D2-4A-86-69 in status pass although there is NO userid attached. Looking at the mac allowed list that is permitted to bypass the coova login page, we see the MAC is included.
# chilli_query list
40-D3-2D-9F-6B-0F 192.168.182.163 dnat 4c4b598500000006 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 http://www.apple.com/library/test/success.html
00-16-44-DF-4D-E9 192.168.182.162 dnat 4c4b58d500000007 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-17-C4-75-4C-EC 192.168.182.161 pass 4c4b58340000000e 1 yifdar15 288/30470083 83/1200 112362/0 398047/0 0 1 0/250000 0/1000000 http://195.228.254.149/wpad.dat
00-19-70-2E-01-E4 0.0.0.0 none 4c4b57d800000005 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-60-B3-3A-71-33 0.0.0.0 none 4c4b57d80000000c 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-60-B3-3D-97-CF 0.0.0.0 none 4c4b57d800000003 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-60-B3-3D-96-F8 0.0.0.0 none 4c4b57d80000000d 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-60-B3-3D-97-8C 0.0.0.0 none 4c4b57d800000015 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 -
00-1F-A7-0A-DC-3B 192.168.182.160 dnat 4c4b572a0000000a 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 http://feu01.ps3.update.playstation.net/update/ps3/list/eu/ps3-updatelis...
00-16-EA-9B-19-9E 192.168.182.157 pass 4c4b4fe800000009 1 nimlad12 2299/83874 0/1200 1715246/0 7202561/0 0 1 2/100000 1/500000 http://195.228.254.149/wpad.dat
00-21-6B-06-F5-4C 192.168.182.155 pass 4c4b4c1000000002 1 yoxmor15 941/30298870 12/1200 676582/0 4751294/0 0 1 0/250000 0/1000000 http://195.228.254.149/wpad.dat
00-19-D2-70-6E-CD 192.168.182.154 pass 4c4b4bb000000014 1 buftayud6 3503/74338 2/1200 108955/0 543853/0 0 1 0/100000 0/300000 http://195.228.254.149/wpad.dat
00-18-DE-D8-BE-8C 192.168.182.149 pass 4c4b413000000001 1 bailies21 6206/30074974 11/3600 5382536/0 39807012/0 0 1 0/0 0/0 http://www.google.ie/
40-61-86-38-74-13 192.168.182.147 dnat 4c4b40af00000011 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 http://195.228.254.149/wpad.dat
00-10-60-26-96-3B 192.168.182.141 dnat 4c4b39c20000000f 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 http://195.228.254.149/wpad.dat
00-24-D2-4A-86-69 192.168.182.132 pass 4c4b313c00000010 1 - 10426/0 0/3600 13313653/0 408055862/0 0 1 0/0 0/0 -
00-1B-77-78-1B-1A 192.168.182.112 pass 4c4b1aae00000008 1 johnpaul81 15871/484340801 0/3600 12307128/1000000000 20871957/500000000 1000000000 1 0/0 0/0 http://conn.skype.com/
00-1C-BF-C0-B8-99 192.168.182.108 dnat 4c4b19e600000012 0 - 0/0 0/0 0/0 0/0 0 1 0/0 0/0 http://crl.entrust.net/server1.crl
00-16-44-E7-5D-96 192.168.182.54 pass 4c4ad1fa0000000b 1 cuvbev10 31028/259437 6/1200 4912979/0 126110555/0 0 1 0/100000 0/1000000 http://wpad.key.chillispot.info/wpad.dat

Appendix:
Here is the configuration coova is running with for reference:
root@Chillifire0015517:~# cat /etc/chilli/main.conf
# THIS FILE IS AUTOMATICALLY GENERATED
cmdsocket /var/run/chilli.sock
pidfile /var/run/chilli.pid
net 192.168.182.0/255.255.255.0
uamlisten 192.168.182.1
uamport 3990
dhcpif br-wifi
uamallowed "chillifire.net,208.67.222.222,208.67.220.220,192.168.182.1,208.67.222.222"
uamanydns

uamanyip
statip 192.168.180.1/255.255.255.0
nasmac 00-1E-E5-5B-BB-17
domain key.chillispot.info
dns1 192.168.10.254
dns2 208.67.222.222
uamhomepage http://www.carnebeach.com/log.html
wisprlogin https://coova.org/app/uam/auth
wwwdir /etc/chilli/www
wwwbin /etc/chilli/wwwsh
uamdomain .carnebeach.com
uamdomain .ldndatabase.com
uamdomain .eircom.net
uamdomain .yahoo.com
uamdomain 192.168.168.105
uamdomain .alldayvitamins.com
macallowed 40D32D8A2006,001e658115f4,001FE1D4ADF4,0024D24A8669
macallowlocal
swapoctets
coanoipcheck
interval 60
locationname "Chillifire"
radiuslocationname Chillifire
radiuslocationid isocc=,cc=,ac=,network=Chillifire,Europe

# cat /etc/chilli/hs.conf
radiusserver1 radius04.chillifire.net
radiusserver2 radius02.chillifire.net
radiussecret xxxxxxxxxxxxxxxxx
radiusauthport 1812
radiusacctport 1813
uamserver https://login04.chillifire.net/hotspotaccess.php
radiusnasid 00-1E-E5-5B-BB-17

papalwaysok
acctupdate
adminupdatefile /etc/chilli/local.conf
uamsecret yyyyyyyyyyyyyyyyyyyyyy
defidletimeout 3600
definteriminterval 180
coaport 3799

‹ Access to static configured device on my chilli LAN Differentiating free users from authenticated ones. ›