Re: RE : RE : RE : rlm_sql: Password in Accounting Packet

To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Subject: Re: RE : RE : RE : rlm_sql: Password in Accounting Packet
From: "Marco Stuhl" <skipperinc@gmail.com>
Date: Fri, 15 Dec 2006 20:51:45 +0100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sIfqYWRxNbvSOhjtC/hcxkepna4eI53Lc+od+s2KOEnj5CzY5wCzyDhE6JNVHrbqMrAFj2MOvu9O2t5Fm2kpkCoIYIBO2HR5xmKfKCgVpYm1z9ihrA4Y8PPSECJ6/oaDab3yPtaOUwMnHaTVBvmAZ3MwhzdyyUbcpzPxGfa1DVE=
In-reply-to: <036e01c7204e$3db04a90$161ce4a0@supelec.fr>
References: <15f155d10612150446x767cae1er3c2dbc0dd743db34@mail.gmail.com> <036e01c7204e$3db04a90$161ce4a0@supelec.fr>
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

Hello Thibault,

Thanks for the in-depth explanation. Here are some of my impressions
regarding this solution.

Only attribute I can rely on is Acct-Session-Id (present in
Authorization and Accounting requests) - drawback is in the RAS, which
resets the counter after every reboot, so this string is not unique (a
must for SQL joins).

Maybe there's some other attribute to look for?


Cheers,
Marco


On 12/15/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:

-----Message d'origine-----
De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org] De la part de Marco Stuhl
Envoyé : vendredi 15 décembre 2006 13:47
À : FreeRadius users mailing list
Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet

Here's the scenario.

I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions.

So the password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations.

Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there?

Accounting is based on AcctSessionId (or AcctUniqueId, which can be computed by a FR module). AFAIK, there is no assumption about the 'unique username' thing: it is your session analyzer that makes such assumption.

If you want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the true username.

HTH,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

References:
- Re: RE : RE : rlm_sql: Password in Accounting Packet
  - From: "Marco Stuhl" <skipperinc@gmail.com>
- RE : RE : RE : rlm_sql: Password in Accounting Packet
  - From: "Thibault Le Meur" <Thibault.LeMeur@supelec.fr>

Previous by Date: Re: Help with Simultaneous Login on Freeradius+Ldap
Next by Date: realms and local user file processing question
Previous by Thread: RE : RE : RE : rlm_sql: Password in Accounting Packet
Next by Thread: Re: RE : RE : rlm_sql: Password in Accounting Packet
Freeradius-Users December 2006 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.