racct and radpostauth

Fajar A. Nugraha list at fajar.net
Fri Sep 9 17:01:53 CEST 2011 

On Fri, Sep 9, 2011 at 8:32 PM, andreapepa
<andrea.pepa at trentinonetwork.it> wrote:
> http://freeradius.1045715.n5.nabble.com/file/n4786389/freeradlogdebug
> freeradlogdebug
>
> that is the log.

Then your NAS (in this case, the simulator) is clearly broken (or
perhaps just misconfigured).

It says

"rad_recv: Accounting-Request packet from host 172.25.18.35 port
64225, id=246, length=153
	Acct-Status-Type = Start
"
even though the access request was clearly rejected earlier with

"Sending Access-Reject of id 40 to 172.25.18.35 port 64225
	Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"

Now this is a slightly different case compared to what Bjørn
mentioned. If Acct-Status-Type=Stop then it would've still made sense
somehow, and it will not interfere with simultaneous use checking.
HOWEVER, if a NAS sends 'Acct-Status-Type = Start' for a previously
rejected authentication request, and without ANY 'Acct-Status-Type =
Stop', then it doesn't make any sense, and it WILL interfere with
simultaneous query check. No session was ever actually started so it
shouldn't even send 'Acct-Status-Type = Start'.

So you got two different things:
(1) NAS sending 'Acct-Status-Type = Start' for a previously rejected
authentication request
This is clearly wrong. Fix the NAS.
The good thing is since you say this nas is just a simulator, it's
entirely possible that it's simply misconfigured, and no "real" NAS
would do such a thing.

(2) Checking which users are actually logged in
There are some ways to do this:
a) checkrad (as Alan mentioned), which basically uses several methods
(SNMP, telnet, etc.) to ask the NAS directly
b) analyze entries on radacct table

#2.a is accurate, but might not be desirable in some situation
#2.b is more generic and easy, but not 100% accurate, requires interim
updates to be configured, and it needs packet arrive time to be
recorded. I record it in Acct-Stop-Time column, but you can easly add
another column (e.g. Packet-Timestamp) for that purpose.

-- 
Fajar

More information about the Freeradius-Users mailing list