Freeradius-mysql (2.04), Cisco 515PIX (6.3) ,VPN accounting problem
Hi guru's
I've set up a pix to do client VPN with Cisco client software.
The radius server is a debian lenny box with freeradius 2 and a mysql backend.
All is well, authentication works like a charm.
Getting accounting to work properly is a bit harder for me.
I'm getting many many records for each VPN connection that has been made.
See some content of my radacct table :
1 0x00210826 jaap 10.32.2.251 0 2009-05-20 13:55:43 2009-05-20 13:56:24 41 28042 41980 0 0
2 0x00210828 jaap 10.32.2.251 0 2009-05-20 13:55:52 2009-05-20 13:56:19 27 20528 55285 0 0
3 0x00210834 jaap 10.32.2.251 0 2009-05-20 13:56:45 2009-05-20 13:57:16 30 5038 10138 0 0
4 0x00210835 jaap 10.32.2.251 0 2009-05-20 13:56:45 2009-05-20 13:57:16 30 1992 3788 0 0
5 0x00210836 jaap 10.32.2.251 0 2009-05-20 13:57:16 2009-05-20 13:57:38 21 31040 49263 0 0
6 0x00210837 jaap 10.32.2.251 0 2009-05-20 13:57:17 2009-05-20 13:57:38 21 6900 12879
See the time/date stamps are very close together ? This is only 1 vpn connection though ! Obviously when using a tool like dialup-admin it doesn't provide me with proper output/graphs.
Also, I've noticed in my radius.log many of these:
Error: rlm_radutmp: Logout for NAS pubflw03 port 0, but no Login record
Is something wrong with the SQL statements of freeradius ? Or is it the NAS (cisco) that is spewing so many records because of misconfiguration, or maybe a bug(due to the IOS being a bit old)
the cisco conf looks like this :
<snip>
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.32.2.6 **(crypt. pass)** timeout 5
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS
<snip>
Last remark : simultanious use checking doesnt work either, I'm doing that with the (preconfigured) options in dialup.conf.
I've changed the server to log 0000-00-00 00:00:00 instead of NULL and it does write this in radacct->acctstoptime.
|