racct and radpostauth
Alan DeKok
aland at deployingradius.com
Fri Sep 9 15:16:42 CEST 2011
Bjørn Mork wrote:
> Arran Cudbard-Bell <a.cudbardb at freeradius.org> writes:
>
>> As Alan says your NAS won't generate Accounting-Requests if the RADIUS
>> server rejects the user (unless its very broken).
>
> Why would that be broken?
A session that doesn't start requires no accounting.
When companies do business accounting, they list only income/expenses.
They don't list sales prospects who fail to buy anything. They don't
list vendors who never send them invoices.
Accounting is for things that happen. Rejects are sessions that never
happened.
> Yes, I do see that you can trigger RADIUS accounting traffic without
> authenticating, but the additional load (both for NAS and RADIUS server)
> is probably negligible compared to the failed authentication anyway.
Accounting generally is a lot more resource intensive than PAP or CHAP
authentication.
If you want to log rejects, you can do that. You can even customize
the "post-auth" section to write into the accounting database. But it's
a configuration which will *not* be in the default configuration.
Alan DeKok.
More information about the Freeradius-Users
mailing list