Working with data used at authentication time during accounting

Marki jm+freeradiususer at roth.lu
Tue Mar 16 23:57:31 CET 2021


On 3/15/2021 10:17 PM, Alan DeKok wrote:
>
>> Now, if possible, I would like to re-use some of that information at accounting stage. The thing is that I'm proxying the NAS' accounting packets to another firewall for SSO access, which also requires that information. The NAS doesn't remember the custom attributes from authentication response and doesn't include them in the accounting request. Probably, it doesn't have or need to. Still, I have to add them back in somehow .
>    Use the "Class" attribute.   You send it in the Access-Accept, and the NAS is supposed to include it in the Accounting-Request packets for that session.

That was the missing link, thank you very much. It is good to see that 
there can even be more than one Class attribute :)

Like this we can even configure the NAS (Cisco) Accounting features to 
directly contact the firewall (Fortigate) in order to establish the 
firewall policies (RSSO) without any proxying through the Radius server...

>
>> I see that the NAS transmits an audit-session-id which is identical in both the authentication and accounting packets. Maybe I could leverage that. But still both worlds (authentication/accounting) would somehow need to share some data.
>    I presume you mean "Acct-Session-Id".  And if the NAS sends that in Access-Request packets, that's very good.  It means you can leverage that.
There is both. There is an Acct-Session-Id but it's only present in the 
accounting packets unfortunately. "audit-session-id" seems to be a 
vendor-specific attribute (Cisco) and it's present both in 
Access-Request and Accounting-Request.

Thanks again,
Marki



More information about the Freeradius-Users mailing list