Accounting for nonexistent users / NAS ?
justin76 at mac.com
justin76 at mac.com
Tue Feb 14 15:47:06 CET 2012
Can this be achived for only accounting start requests? So the check would be only when a new accounting session starts, ongoing sessions shouldn't be checked.
preacct {
update control {
Tmp-Integer-0 := %{sql:select 1 from radcheck where username='%{User-Name}'}
}
}
accounting {
if (control:Tmp-Integer-0 == 1) {
detail
sql
# whatever
}
}
On Feb 14, 2012, at 1:08 PM, Fajar A. Nugraha wrote:
On Tue, Feb 14, 2012 at 6:31 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 14/02/12 11:18, justin76 at mac.com wrote:
>>
>> NAS are set up by partner companies all around the world. We can tell
>> them to fix the NAS but maybe it can take weeks and we don't want to
>> allow misconfigured NAS in the accounting at all.
>
>
> Freeradius can perform arbitrary processing, to ignore or accept packets.
> You need to:
>
> 1. Write down a policy showing which requests you want to permit, based on
> which attributes
... and that is often the hardest part. Really.
IMHO it's easier to just do something like this:
- give out unique shared secret for each NAS
- log NAS IP address (e.g. Packet-Src-IP-Address) on radacct (either
by overwriting an existing column, or add a new one)
- handle user complains if and when they come.
If a user complains that their quota is used incorrectly, and you can
trace that the NAS is misbehaving (or hacked, although unlikely) by
looking at records on radacct, then simply ban the NAS. It's the
least-effort method to get what you want.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list