Radrelay: Zero Session length packets
Alan DeKok
aland at deployingradius.com
Tue Jan 2 15:41:23 CET 2007
Etienne Pretorius wrote:
> BTW is there a way to specify an OR / AND operator below for acct_users?
> So that I can say something like
>
> DEFAULT [ Client-IP-Address == "XXX.XXX.XXX.XXX" ||
> Client-IP-Address == "YYY.YYY.YYY.YYY" ||
> Client-IP-Address == "ZZZ.ZZZ.ZZZ.ZZZ" &&
> Acct-Session-Time == "0" ] , Acct-type :=
> "REMOTE-AUTH"
No, but there's no need to specify the Client-IP-Address, either.
Just put all zero-length sessions into a "zero-length-session"
accounting type. Have it do whatever works for those sessions, and all
other sessions can do something else.
> *acct_users*
> # Do not radrelay these packets:
> DEFAULT Acct-Session-Time == "0", Acct-type := "REMOTE-AUTH"
>
> # This Configuration prevents Accouting loops of a two-way radrelay sync
> # [o] Radrelay must be sending accounting info from IP(s) below
> # on the other Radius server(s)
> DEFAULT Client-IP-Address == "XXX.XXX.XXX.XXX", Acct-type := "REMOTE-AUTH"
> DEFAULT Client-IP-Address == "YYY.YYY.YYY.YYY", Acct-type := "REMOTE-AUTH"
> DEFAULT Client-IP-Address == "ZZZ.ZZZ.ZZZ.ZZZ", Acct-type := "REMOTE-AUTH"
The problem here is that you're using the *same* Acct-Type for remote
auth as for zero-length sessions. Don't do that. The radiusd.conf file
is small, and easy to edit. You might as well have multiple Acct-Types,
they're cheap.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list