Thanks, i haven't used preacct before, in what module is this, can you send detailed solution? Sorry, i am only a beginner in writing customized things for freeradius. About the NAS: in our case, the client is in posession of the shared secret, but the NAS is set incorrectly. Also, we are using a global user database for hundreds of NAS clients, and we would like to avoid a situation when a NAS client is sending accounting information for an existing user as a hacker attempt, causing invalid usage data and causing users account to expire. In case the existing user is configured as a local user AND the hacker knows that a username exists in our radcheck table (or just use a username list for guessing), this can be easily done. On Feb 14, 2012, at 11:49 AM, Phil Mayers wrote: On 14/02/12 10:27, justin76@mac.com wrote:
Hi all,
we are using freeradius with mysql.
Accounting works fine, but we discovered that the server is doing accounting for users which don't exist at all in our system. They are probably local users but accounting information is sent to our servers.
How do we allow accounting for only our users? The server should check whether the user is in the radcheck table as we only keep users that which have a valid account.
How can this be achieved?
Well, possibly something like: preacct { update control { Tmp-Integer-0 := %{sql:select 1 from radcheck where username='%{User-Name}'} } } accounting { if (control:Tmp-Integer-0 == 1) { detail sql # whatever } }
Furthermore, it would be good if we could verify the NAS value so the server should only do accounting when the NAS is allowed.
I don't know what this means. If the NAS is "not allowed" then surely it's not a valid client, so it doesn't have a shared secret? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html