Accounting for nonexistent users / NAS ?
Fajar A. Nugraha
list at fajar.net
Tue Feb 14 13:08:24 CET 2012
On Tue, Feb 14, 2012 at 6:31 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 14/02/12 11:18, justin76 at mac.com wrote:
>>
>> NAS are set up by partner companies all around the world. We can tell
>> them to fix the NAS but maybe it can take weeks and we don't want to
>> allow misconfigured NAS in the accounting at all.
>
>
> Freeradius can perform arbitrary processing, to ignore or accept packets.
> You need to:
>
> 1. Write down a policy showing which requests you want to permit, based on
> which attributes
... and that is often the hardest part. Really.
IMHO it's easier to just do something like this:
- give out unique shared secret for each NAS
- log NAS IP address (e.g. Packet-Src-IP-Address) on radacct (either
by overwriting an existing column, or add a new one)
- handle user complains if and when they come.
If a user complains that their quota is used incorrectly, and you can
trace that the NAS is misbehaving (or hacked, although unlikely) by
looking at records on radacct, then simply ban the NAS. It's the
least-effort method to get what you want.
--
Fajar
More information about the Freeradius-Users
mailing list