Link to home
Create AccountLog in
Avatar of willy70
willy70

asked on

Cisco Aironet and Freeradius2, accounting question

Dear Expert-exchange support,
our company has some Cisco Aironet 1100 and 1200 access point and one linux box with freeradius 2 for the management of the authenticaion. These systems work very good and are capable to store login information inside radius log file. Every login session is write inside radis logs file, /var/log/radius/radius.log and /var/log/radius/radacct/AP/auth-.detail-YYYMMDD.

The question is what should I change to to log the user logout from access point ?
I'd like to write logout or disconnected information inside radius logs.

In the following I can sent the AP config, for example:
...
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_eap3
 server 10.0.100.3 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login eap_methods3 group rad_eap3
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
dot11 ssid dot1x
   vlan 3
   authentication open eap eap_methods3
   authentication key-management wpa
   mbssid guest-mode
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key .....
radius-server vsa send accounting
!

Also I can post the freeradius config file, for example, radiusd.conf:

...
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
...
#
#  Logging section.  The various "log_*" configuration items
#  will eventually be moved here.
#
log {
        destination = files
        file = ${logdir}/radius.log
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
}
...

and the clients.conf is:
....
client 10.0.3.103 {
        secret = XXXX
        nastype = cisco
        shortname = AP-1
}
...


any ideas ?
thank you so much !

V.B.Regards
Enrico
Avatar of jackiechen858
jackiechen858
Flag of Canada image

I doubt it's possible. my understanding is radius server only authenticate login, not logout. You don't need a username/password to logout.

I guess what you can do is poll those information from the Cisco device, e.g. writing a script to poll currently login user information to a tftp server every 5 minutes


I did similar task before, wrote a expect script to login a cisco device to save user information to a tftp server, then another script to parse the result file and save it into database.


Avatar of willy70
willy70

ASKER

In the past I've used Cisco Access Server (AS5300) and when isdn users made a calls
radius wrote login and logout information.
In this experience I remeber about some IOS commands:
...
aaa accounting exec default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
...

so I think about aironet would be able to sent radius server disconnect info.
Also I remeber about an old radius script that read log file to showing
a summary information per user, showing connect and disconnect time.
Any other suggestions.
Many thanks again.
V.B.Regards
Enrico  
Avatar of willy70

ASKER

anyone has any ideas ?
thanks
ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of willy70

ASKER

many thanks for this suggestion ! it's really very usefull.

my last question is about tool for log analyze, I know about radlast but
I belive that exists other scripts or tools that show report reading from
radacct/detail-YYYMMDD file , any ideas ?

thanks again
Very Best Regards
Enrico
Not really.  

We only use our accounting logs where there is a problem or a question on if somebody was actually logged in to our VPN.  Then we just export the log (we use Cisco ACS as the accouting server) as a CSV file and do simple fitering in Excel.
Avatar of willy70

ASKER

thank you so much again !
Avatar of willy70

ASKER

congratulations to giltjr