Accounting Packets and Anonymous Identity

Phil Mayers p.mayers at imperial.ac.uk
Sun Feb 5 14:10:33 CET 2017


As a couple of people have noted, if the NAS supports it you can (in 
order of preference):

1. Return User-Name in Access-Accept which a compliant NAS will then 
copy to Accounting-Requests

2. Abuse Class in Access-Accept e.g. set it to "user=<name>" then 
extract that in preacct{} and rewrite the received username in the 
accounting packets

3. If the NAS sends Acct-Session-Id in Access-Requests, cache or store 
these in a DB, then do a cache/SQL lookup in preacct{} to find the 
username from authentication, and rewrite the accounting. You could hack 
this with NAS-IP-Address & Calling-Station-Id if you're really desperate 
and the Acct-Session-Id isn't present in Access-Request.

If none of these options are available, then you will need to perform 
offline or near-realtime analysis of your accounting to match auth to 
acct sessions and discover the real username.


More information about the Freeradius-Users mailing list