NAS are set up by partner companies all around the world. We can tell them to fix the NAS but maybe it can take weeks and we don't want to allow misconfigured NAS in the accounting at all. On Feb 14, 2012, at 12:08 PM, Phil Mayers wrote: On 14/02/12 10:59, justin76@mac.com wrote:
Thanks, i haven't used preacct before, in what module is this, can you send detailed solution? Sorry, i am only a beginner in writing customized things for freeradius.
This is a section in the standard virtual server config. If you look in sites-enabled/default, you'll see: authorize { ... } authenticate { ... } post-auth { ... } preacct { ... } accounting { ... } ...and others. The sections are lists of modules, or "unlang" config processing statements. See "man unlang".
About the NAS: in our case, the client is in posession of the shared secret, but the NAS is set incorrectly. Also, we are using a global user database for hundreds of NAS clients, and we would like to avoid a situation when a NAS client is sending accounting information for an existing user as a hacker attempt, causing invalid usage data and causing users account to expire. In case the existing user is configured as a local user AND the hacker knows that a username exists in our radcheck table (or just use a username list for guessing), this can be easily done.
I'm sorry, I don't understand any of that. If the NAS is "set incorrectly" why not fix the NAS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html