FreeRADIUS InkBridge

Accounting Requests

Goal: To send the server accounting requests and to have the server log the accounting requests.

Time: 20-30 minutes

In addition to authorisation and authentication, one of the primary roles of a RADIUS server is to record accounting information supplied by an NAS. In this exercise, you should create accounting requests to send to the server and see what the server does with those requests. This process simulates the actions taken by an NAS when a user logs in.

Use the entry in the file from the exercise in New User for user "bob".

Authenticate the user

Before sending accounting packets, the user must first be authenticated. This step ensures that the server recognizes the user and permits them to access the network. We will use the radclient command to simulate a Network Access Server (NAS) sending an Access-Request.

You can choose between two common authentication methods: PAP or CHAP. If you are a beginner, we recommend starting with PAP.

Option A - Using PAP (Recommended)

echo 'User-Name = "bob"
User-Password = "hello"
NAS-IP-Address = 127.0.0.1
NAS-Port = 501
Service-Type = Framed-User
Framed-Protocol = PPP' | radclient -x 127.0.0.1:1812 auth testing123

Option B - Using CHAP

echo 'User-Name = "bob"
CHAP-Password = "RPWZI373P"
NAS-IP-Address = 127.0.0.1
NAS-Port = 501
Service-Type = Framed-User
Framed-Protocol = PPP' | radclient -x 127.0.0.1:1812 auth testing123

Run the command for the method you prefer. If successful, you should see the following in your terminal and server logs.

Server debug output

When the server receives the packet, it will look up the user in its configuration files. You should see output similar to this:

(0)          files - | --> bob
(0)      files - files - Looking for key "bob"
...
(0)      pap - User authenticated successfully
(0)      pap (ok)

Radclient output

On the client side, radclient will display the response from the server:

Received Access-Accept Id 96 from 127.0.0.1:1812 ...
        Reply-Message = "Hello, bob! Basic access granted."
        Framed-Protocol = ::PPP
        Service-Type = ::Framed-User
        Framed-IP-Address = 192.168.10.12
        User-Name = "bob"

The Access-Accept message confirms that the user "bob" is now authenticated.

Send an Accounting-Start packet

Once the user has been authenticated, the NAS sends an Accounting-Request packet to tell the server that the session has started. This packet must contain the Acct-Status-Type = Start attribute.

We will use radclient to send this packet to the server’s accounting port (typically 1813).

echo 'User-Name = "bob"
Acct-Status-Type = Start
Acct-Session-Id = "01020304"
NAS-IP-Address = 127.0.0.1
NAS-Port = 501
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 192.168.100.55' | radclient -x 127.0.0.1:1813 acct testing123

Server debug output

Observe the server’s output as it processes the accounting request. You should see it execute the accounting section and then send a response:

proto_radius_udp - Received Accounting-Request ID 6 length 77 radius_udp server * port 1813
(0)  default {
(0)    Received Accounting-Request ID 6 from 127.0.0.1:47339 to 127.0.0.1:1813 via lo
(0)      User-Name = "bob"
(0)      Acct-Status-Type = ::Start
(0)      Acct-Session-Id = "01020304"
(0)      NAS-IP-Address = 127.0.0.1
(0)      NAS-Port = 501
(0)      NAS-Port-Type = ::Virtual
(0)      Service-Type = ::Framed-User
(0)      Framed-Protocol = ::PPP
(0)      Framed-IP-Address = 192.168.100.55
(0)      Net {
......................
(0)    } # recv Accounting-Request ((ok))
......................
(0)  Done request
(0)  Sending Accounting-Response ID 6 from 0.0.0.0/0:1813 to 127.0.0.1:47339 length 20 via socket radius_udp server * port 1813
(0)    Packet-Type = ::Accounting-Response
(0)  Finished request

Radclient output

radclient will show the request it sent and the response it received from the server:

Sent Accounting-Request Id 6 from 0.0.0.0:47339 to 127.0.0.1:1813 length 77
        User-Name = "bob"
        Acct-Status-Type = ::Start
        Acct-Session-Id = "01020304"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 501
        NAS-Port-Type = ::Virtual
        Service-Type = ::Framed-User
        Framed-Protocol = ::PPP
        Framed-IP-Address = 192.168.100.55
Received Accounting-Response Id 6 from 127.0.0.1:1813 to 0.0.0.0:47339 via lo length 20

The receipt of an Accounting-Response confirms that the server has successfully recorded the start of the session.

After sending an Accounting-Start packet, you should verify that the server has actually recorded the information. The detail module is responsible for logging every accounting request into a textual file.

The directory where these logs are stored is defined in radiusd.conf. The typical path structure is as follows:

prefix = /usr/local
logdir = ${localstatedir}/log/radius
radacctdir = ${logdir}/radacct

For this tutorial, the detail logs for requests originating from 127.0.0.1 are stored in /usr/local/var/log/radius/radacct/127.0.0.1/.

You can also find the exact path by looking at the server’s debug logs. Look for a line that shows the expansion of the detail path:

(0)      detail - /usr/local/var/log/radius/radacct/%{Net.Src.IP}/detail-%Y-%m-%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/detail-2026-1-15

To view the recorded accounting data, run:

cat /usr/local/var/log/radius/radacct/127.0.0.1/detail-2026-1-15

Example detail log entry

Verify that the entry contains the information you sent, specifically the Acct-Status-Type:

Thu Jan 15 15:27:47 2026
	User-Name = "bob"
	Acct-Status-Type = ::Start
	Acct-Session-Id = "01020304"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 501
	...
	Packet-Type = ::Accounting-Request

Send an Accounting-Stop packet

When the user logs out or the session ends, the NAS sends an Accounting-Stop packet. This packet includes the total duration of the session and the amount of data transferred (measured in octets).

Run the following command to simulate a session end:

echo 'User-Name = "bob"
Acct-Status-Type = Stop
Acct-Session-Id = "01020304"
Acct-Session-Time = 3600
Acct-Input-Octets = 1048576
Acct-Output-Octets = 524288
NAS-IP-Address = 127.0.0.1
NAS-Port = 501
Framed-IP-Address = 192.168.100.55' | radclient -x 127.0.0.1:1813 acct testing123

Server debug output

The server will process the stop packet similarly to the start packet:

(0)    } # recv Accounting-Request ((ok))
...................................
(0)  Done request
(0)  Sending Accounting-Response ID 51 from 0.0.0.0/0:1813 to 127.0.0.1:59747 length 20 via socket radius_udp server * port 1813
(0)    Packet-Type = ::Accounting-Response
(0)  Finished request

Radclient output

On your terminal, radclient should confirm the session stop:

Sent Accounting-Request Id 51 from 0.0.0.0:59747 to 127.0.0.1:1813 length 77
        User-Name = "bob"
        Acct-Status-Type = ::Stop
        Acct-Session-Id = "01020304"
        Acct-Session-Time = 3600
        Acct-Input-Octets = 1048576
        Acct-Output-Octets = 524288
        ...
Received Accounting-Response Id 51 from 127.0.0.1:1813 to 0.0.0.0:59747 via lo length 20

The session is now officially closed in the server’s records. You can verify this by checking the detail log again.

Questions

  1. Why do accounting messages require less configuration of the server than authentication methods?

  2. Why is the "detail" module useful?

  3. Where is the "detail" file located? Why is the "detail" file in this location? Where is it configured?

  4. What parts of the servers manage user session information?

  5. What module other than "radutmp" can manage user session information?

  6. Why is it useful to record which users are currently logged in?

  7. What attributes that are found in the accounting request are not found in the authentication request? Why?

  8. Which attributes are required to be in an accounting request?

  9. What error message is produced on the second accounting stop, and why is it produced?