rlm_sql: Password in Accounting Packet
Hello, Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect. I'm aware of the RFCs - is there any workaround for this? Thanks, Marco
Marco Stuhl
Hello,
Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ? Thibault
On 12/15/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ?
I agree on that one; still no workaround? Cheers, Marco
Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ?
I agree on that one; still no workaround?
I don't understand what you're trying to do. * If you want to record the user-password, why don't you record it at Authentication time (see the postauth section) ? * If you want to do this at during the Accounting process, you'll have do develop your own module to get the password that matches to the User-Login from the Accounting request: you will have to query your internal backend to get the user's password (if it is available in clear text, which is not certain). Can you be more specific as to why you are trying to do this... because there might be workarounds for this. Thibault
Here's the scenario. I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions. Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there? Thanks, Marco On 12/15/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
Is there a way to insert password in radacct table? Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting Request. How do you want FR to know the User-Password attribute then ?
I agree on that one; still no workaround?
I don't understand what you're trying to do. * If you want to record the user-password, why don't you record it at Authentication time (see the postauth section) ? * If you want to do this at during the Accounting process, you'll have do develop your own module to get the password that matches to the User-Login from the Accounting request: you will have to query your internal backend to get the user's password (if it is available in clear text, which is not certain).
Can you be more specific as to why you are trying to do this... because there might be workarounds for this.
Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius .org] De la part de Marco Stuhl Envoyé : vendredi 15 décembre 2006 13:47 À : FreeRadius users mailing list Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet Here's the scenario. I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions. So the password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations. Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there? Accounting is based on AcctSessionId (or AcctUniqueId, which can be computed by a FR module). AFAIK, there is no assumption about the 'unique username' thing: it is your session analyzer that makes such assumption. If you want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the true username. HTH, Thibault
Hello Thibault, Thanks for the in-depth explanation. Here are some of my impressions regarding this solution. Only attribute I can rely on is Acct-Session-Id (present in Authorization and Accounting requests) - drawback is in the RAS, which resets the counter after every reboot, so this string is not unique (a must for SQL joins). Maybe there's some other attribute to look for? Cheers, Marco On 12/15/06, Thibault Le Meur <Thibault.LeMeur@supelec.fr> wrote:
-----Message d'origine----- De : freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr@lists.freeradius.org] De la part de Marco Stuhl Envoyé : vendredi 15 décembre 2006 13:47 À : FreeRadius users mailing list Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet
Here's the scenario.
I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions.
So the password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations.
Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there?
Accounting is based on AcctSessionId (or AcctUniqueId, which can be computed by a FR module). AFAIK, there is no assumption about the 'unique username' thing: it is your session analyzer that makes such assumption.
If you want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the true username.
HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Marco Stuhl wrote:
Here's the scenario.
I'd like to make one username for all users having/sharing same service
Quite frankly, it's much easier to have different usernames. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello all, Thanks for sharing your thouths! Seems that I'll go with unique/different usernames, for now... Cheers, Marco On 12/15/06, Alan DeKok <aland@deployingradius.com> wrote:
Marco Stuhl wrote:
Here's the scenario.
I'd like to make one username for all users having/sharing same service
Quite frankly, it's much easier to have different usernames.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Marco Stuhl -
Thibault Le Meur