Chapter Contents
The RADIUS accounting protocol provides a way for RADIUS clients such as wireless access points to log user access information to a central server. Elektron supports RADIUS accounting, including the logging of RADIUS accounting messages and forwarding those messages to other servers.
Accounting Options
To receive accounting information from access points, the Accounting must first be started using the Elektron Settings applciation. RADIUS accounting options using the Accounting pane in the Elektron Settings application. The following options are available:
- Primary RADIUS Accounting Port RADIUS accounting servers normally listen on UDP port 1813 for incoming requests.
- Enable Secondary RADIUS Accounting Port You may choose to listen on a second UDP port. There exists older equipment that use UDP port 1646 for RADIUS accounting.
- Secondary RADIUS Accounting Port If enabled, the default value is 1646.
- Forward RADIUS Accounting Requests You may optionally forward accounting requests to another RADIUS server. With this option enabled, you must configure a primary server, and optionally may configure a secondary server.
- Primary Server Address This is the hostname or IP address of the server that will receive forwarded accounting requests.
- Primary Server Port The UDP port of the forwarding server, usually port 1813.
- Primary Shared Secret The password or passphrase used to authenticate communications between Elektron and the forwarding server. You must configure the forwarding server with the same shared secret.
- Secondary Server Address This is the hostname or IP address of a server that will receive forwarded accounting requests when the primary server cannot be reached. This field is optional.
- Secondary Server Port The UDP port of the secondary forwarding server, usually port 1813.
- Secondary Shared Secret The password or passphrase used to authenticate communications between Elektron and the secondary forwarding server. This field is optional.
Inner Identities
The Wi-Fi authentication protocols PEAP, TTLS, and EAP-FAST work by creating a TLS-encrypted tunnel between the user and your Elektron server. Authentication credentials are sent inside of the tunnel, and are not visible to the access point. When using these protocols, the username is sent in two places: the “outer identity”, which is sent unencrypted outside the TLS channel, and the “inner identity”, which is sent inside the encrypted TLS channel.
It is the inner identity username that Elektron uses to authenticate the user. This leaves the outer identity unused, meaning that it can be set to any value. Some clients will set this to a value other than the user’s actual username (usually “identity”), which keeps the true username private — only the user and the Elektron server will see it.
It is the wireless access point that sends the RADIUS accounting information regarding the user’s login session, and the access point only sees the outer identity. If the outer identity is not meaningful, then all accounting messages using that outer identity are not meaningful.
Elektron includes a feature that allows access points to generate useful accounting data while keeping the inner identity private. If the “Enable Inner Identity Decoding” option is enabled, Elektron will encrypt the inner identity and place it in a RADIUS Class attribute that it returns to the access point. When the access point generates accounting requests for the user, it will include the Class attribute, which can be decrypted by Elektron to reveal the inner identity.
To enable inner identity decoding, check the “Enable Inner Identity Decoding” checkbox and set a password in the “Inner Identity Secret” field. All inner identities will be encrypted using a key derived from the shared secret. If you use one instance of Elektron to provide authentication services and another instance to provide accounting services, you can configure the same shared secret on both instances so that one may decrypt inner identities encrypted by the other.
When the accounting service receives the encrypted inner identity, it will decrypt and replace the “Username” RADIUS attribute in the accounting packet, making the process transparent in the accounting log and for RADIUS servers receiving accounting messages forwarded from Elektron.
Accounting Log
On Mac OS X systems, the server accounting log file is located at:
/Library/Logs/Periodik/radiusd_accounting.log
On Windows systems, the server accounting log file is located at:
%SYSTEM%\Logfiles\Periodik\radiusd_accounting.log