Duplicate SQL records versus unique constraints

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Jun 3 09:24:53 CEST 2009

On 3/6/09 07:53, Arran Cudbard-Bell wrote:
>> If we add a CONSTRAINT to enforce uniqueness for acctuniqueid in the DB,
>> will the failure to insert an accounting record confuse the freerad sql
>> module and will those failures percolate up towards the radius protocol
>> level and thus result in the NAS keep on sending that accounting packet?
> Yes. The SQL module will return fail on any errors. This will override
> the priority of most other modules, and cause the accounting stanza to
> return fail. The RADIUS server will then ignore the Accounting request,
> and the NAS will think the RADIUS server is dead.
> You should be able to add additional 'uniqueness' with the 'Class'
> attribute. RFC behavior is identical to User-Name. You set it in the
> Access-Accept packet, then the NAS includes its value in all future
> Accounting-Requests.

Example policy for this would be something like :

populate_class {
	# Hashing module only accepts dictionary attributes
	update request {
		Tmp-String-0 := "%t"
	# Insert random string into the class attribute
	update reply {
		Class := "%{request:Acct-Unique-Session-Id}}"


acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port, Class"

acct_unique acct_class_unique {
	key = "User-Name, Tmp-String-0, NAS-IP-Address, Client-IP-Address, NAS-Port"

For the module configuration.

If you're still getting duplicates, check that the NAS is actually sending the value of the Class attribute. Vendors are notoriously bad for ignoring the RFC in this area.


Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

More information about the Freeradius-Users mailing list