Radrelay: Zero Session length packets

Alan DeKok aland at deployingradius.com
Tue Jan 2 15:41:23 CET 2007


Etienne Pretorius wrote:

> BTW is there a way to specify an OR / AND operator below for acct_users?
> So that I can say something like
> 
>     DEFAULT [  Client-IP-Address == "XXX.XXX.XXX.XXX" ||
>                           Client-IP-Address == "YYY.YYY.YYY.YYY" ||
>                           Client-IP-Address == "ZZZ.ZZZ.ZZZ.ZZZ" &&
>                            Acct-Session-Time == "0" ] , Acct-type :=
> "REMOTE-AUTH"

  No, but there's no need to specify the Client-IP-Address, either.
Just put all zero-length sessions into a "zero-length-session"
accounting type.  Have it do whatever works for those sessions, and all
other sessions can do something else.

> *acct_users*
> # Do not radrelay these packets:
> DEFAULT Acct-Session-Time == "0", Acct-type := "REMOTE-AUTH"
> 
> # This Configuration prevents Accouting loops of a two-way radrelay sync
> #  [o] Radrelay must be sending accounting info from IP(s) below
> #       on the other Radius server(s)
> DEFAULT Client-IP-Address == "XXX.XXX.XXX.XXX", Acct-type := "REMOTE-AUTH"
> DEFAULT Client-IP-Address == "YYY.YYY.YYY.YYY", Acct-type := "REMOTE-AUTH"
> DEFAULT Client-IP-Address == "ZZZ.ZZZ.ZZZ.ZZZ", Acct-type := "REMOTE-AUTH"

  The problem here is that you're using the *same* Acct-Type for remote
auth as for zero-length sessions.  Don't do that.  The radiusd.conf file
is small, and easy to edit.  You might as well have multiple Acct-Types,
they're cheap.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list