Any suggestions? Thank you! On Feb 14, 2012, at 3:47 PM, justin76@mac.com wrote: Can this be achived for only accounting start requests? So the check would be only when a new accounting session starts, ongoing sessions shouldn't be checked. preacct { update control { Tmp-Integer-0 := %{sql:select 1 from radcheck where username='%{User-Name}'} } } accounting { if (control:Tmp-Integer-0 == 1) { detail sql # whatever } } On Feb 14, 2012, at 1:08 PM, Fajar A. Nugraha wrote: On Tue, Feb 14, 2012 at 6:31 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 14/02/12 11:18, justin76@mac.com wrote:
NAS are set up by partner companies all around the world. We can tell them to fix the NAS but maybe it can take weeks and we don't want to allow misconfigured NAS in the accounting at all.
Freeradius can perform arbitrary processing, to ignore or accept packets. You need to:
1. Write down a policy showing which requests you want to permit, based on which attributes
... and that is often the hardest part. Really. IMHO it's easier to just do something like this: - give out unique shared secret for each NAS - log NAS IP address (e.g. Packet-Src-IP-Address) on radacct (either by overwriting an existing column, or add a new one) - handle user complains if and when they come. If a user complains that their quota is used incorrectly, and you can trace that the NAS is misbehaving (or hacked, although unlikely) by looking at records on radacct, then simply ban the NAS. It's the least-effort method to get what you want. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html