Accounting for nonexistent users / NAS ?

justin76 at mac.com justin76 at mac.com
Tue Feb 14 12:18:17 CET 2012


NAS are set up by partner companies all around the world. We can tell them to fix the NAS but maybe it can take weeks and we don't want to allow misconfigured NAS in the accounting at all.

On Feb 14, 2012, at 12:08 PM, Phil Mayers wrote:

On 14/02/12 10:59, justin76 at mac.com wrote:
> Thanks, i haven't used preacct before, in what module is this, can
> you send detailed solution? Sorry, i am only a beginner in writing
> customized things for freeradius.

This is a section in the standard virtual server config. If you look in sites-enabled/default, you'll see:

authorize {
 ...
}
authenticate {
 ...
}
post-auth {
 ...
}

preacct {
 ...
}
accounting {
 ...
}

...and others. The sections are lists of modules, or "unlang" config processing statements. See "man unlang".

> 
> About the NAS: in our case, the client is in posession of the shared
> secret, but the NAS is set incorrectly. Also, we are using a global
> user database for hundreds of NAS clients, and we would like to avoid
> a situation when a NAS client is sending accounting information for
> an existing user as a hacker attempt, causing invalid usage data and
> causing users account to expire. In case the existing user is
> configured as a local user AND the hacker knows that a username
> exists in our radcheck table (or just use a username list for
> guessing), this can be easily done.

I'm sorry, I don't understand any of that.

If the NAS is "set incorrectly" why not fix the NAS?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list