Accounting for nonexistent users / NAS ?
justin76 at mac.com
justin76 at mac.com
Tue Feb 14 11:59:18 CET 2012
Thanks, i haven't used preacct before, in what module is this, can you send detailed solution? Sorry, i am only a beginner in writing customized things for freeradius.
About the NAS: in our case, the client is in posession of the shared secret, but the NAS is set incorrectly. Also, we are using a global user database for hundreds of NAS clients, and we would like to avoid a situation when a NAS client is sending accounting information for an existing user as a hacker attempt, causing invalid usage data and causing users account to expire. In case the existing user is configured as a local user AND the hacker knows that a username exists in our radcheck table (or just use a username list for guessing), this can be easily done.
On Feb 14, 2012, at 11:49 AM, Phil Mayers wrote:
On 14/02/12 10:27, justin76 at mac.com wrote:
> Hi all,
>
> we are using freeradius with mysql.
>
> Accounting works fine, but we discovered that the server is doing
> accounting for users which don't exist at all in our system. They are
> probably local users but accounting information is sent to our
> servers.
>
> How do we allow accounting for only our users? The server should
> check whether the user is in the radcheck table as we only keep users
> that which have a valid account.
>
> How can this be achieved?
Well, possibly something like:
preacct {
update control {
Tmp-Integer-0 := %{sql:select 1 from radcheck where username='%{User-Name}'}
}
}
accounting {
if (control:Tmp-Integer-0 == 1) {
detail
sql
# whatever
}
}
>
> Furthermore, it would be good if we could verify the NAS value so the
> server should only do accounting when the NAS is allowed.
I don't know what this means. If the NAS is "not allowed" then surely it's not a valid client, so it doesn't have a shared secret?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list