Detecting RELATED accounting packets
Nasser Heidari
nasser at rasana.net
Tue Nov 17 14:21:36 CET 2015
Hi,
In my current environment I'm using Radius Proxy. As a new requirement I
want to allow all users whom rejected by Proxy to connect to Network, but
put them in walled garden and let them to access only specified resources.
Also when they get connected I should store their IP, Mac, NAS information
which exist in accounting packet.
I want to create virtual server on radius proxy and handle all REJECTED
users with this. Problem is, there isn't any relation between authentication
and accounting packets so I don't know which accounting packets are related
to REJECTED users to forward them to virtual server.
I have two Ideas which may help me to solve this issue:
1- Store POSTAUTH message in DB and then when I receive accounting packets,
in preacct stage lookup user's info using (mac+nas+nas-port) in POSTAUTH DB
and then decide to forward packet to PROXY or Virtual server.
2- When I'm sending access-accept, send another attribute to NAS (which is
Cisco), and NAS should include this special attribute in all accounting
packets of REJECTED users so using this I can seprate users and send correct
accounting info to PROXY or virtual server. (Trying to use a kind of marking
method, which I'm not sure it's possible).
I would be thankful if you kindly share your Ideas about this problem and
other possible methods to solve it.
Kind Regards,
Nasser
More information about the Freeradius-Users
mailing list