rlm_sql: Password in Accounting Packet
Marco Stuhl
skipperinc at gmail.com
Fri Dec 15 20:51:45 CET 2006
Hello Thibault,
Thanks for the in-depth explanation. Here are some of my impressions
regarding this solution.
Only attribute I can rely on is Acct-Session-Id (present in
Authorization and Accounting requests) - drawback is in the RAS, which
resets the counter after every reboot, so this string is not unique (a
must for SQL joins).
Maybe there's some other attribute to look for?
Cheers,
Marco
On 12/15/06, Thibault Le Meur <Thibault.LeMeur at supelec.fr> wrote:
>
>
>
>
>
> -----Message d'origine-----
> De : freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius.org [mailto:freeradius-users-bounces+thibault.lemeur=supelec.fr at lists.freeradius.org] De la part de Marco Stuhl
> Envoyé : vendredi 15 décembre 2006 13:47
> À : FreeRadius users mailing list
> Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet
>
>
> Here's the scenario.
>
> I'd like to make one username for all users having/sharing same service (e.g. users w/ service A all have username 'foo' with unique password for every user). Now, the problem arises with accounting, or, to be more precise, session reports that will be available for them to see and check their past sessions.
>
> So the password can only be retreived for the Access-Request packet: use the postauth query to record it, then use radacct to record accoutning informations.
>
> Since accounting (SQL schema) is based on unique username, I cannot make the distinction between users. Also, I've noted (in past FR versions, though) that it was possible for log files, since FR logged passwords there?
>
> Accounting is based on AcctSessionId (or AcctUniqueId, which can be computed by a FR module). AFAIK, there is no assumption about the 'unique username' thing: it is your session analyzer that makes such assumption.
>
> If you want to differentiate users, you'll have to find rules that help map attributes recorded in the radacct table with attributes recorded in the postauth table: then a simple Join can help recover the true username.
>
> HTH,
> Thibault
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list