rlm_sql: Password in Accounting Packet

Marco Stuhl skipperinc at gmail.com
Fri Dec 15 20:51:45 CET 2006


Hello Thibault,

Thanks for the in-depth explanation. Here are some of my impressions
regarding this solution.

Only attribute I can rely on is Acct-Session-Id (present in
Authorization and Accounting requests) - drawback is in the RAS, which
resets the counter after every reboot, so this string is not unique (a
must for SQL joins).

Maybe there's some other attribute to look for?


Cheers,
Marco


On 12/15/06, Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
>
>
>
>
>
> -----Message d'origine-----
> De :    freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius.org    [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius.org]    De la part de Marco Stuhl
> Envoyé : vendredi 15 décembre    2006 13:47
> À : FreeRadius users mailing    list
> Objet : Re: RE : RE : rlm_sql: Password in Accounting    Packet
>
>
> Here's the scenario.
>
> I'd like to make one username for all users    having/sharing same service (e.g. users w/ service A all have username 'foo'    with unique password for every user). Now, the problem arises with accounting,    or, to be more precise, session reports that will be available for them to see    and check their past sessions.
>
> So    the password can only be retreived for the Access-Request packet: use the    postauth query to record it, then use radacct to record accoutning    informations.
>
> Since accounting (SQL schema) is based on    unique username, I cannot make the distinction between users. Also, I've noted    (in past FR versions, though) that it was possible for log files, since FR    logged passwords there?
>
> Accounting is based on AcctSessionId (or AcctUniqueId, which can    be computed by a FR module). AFAIK, there is no assumption about the    'unique username' thing: it is your session analyzer that makes such    assumption.
>
> If    you want to differentiate users, you'll have to find rules that help map    attributes recorded in the radacct table with attributes recorded in the    postauth table: then a simple Join can help recover the true    username.
>
> HTH,
> Thibault
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list