Detecting RELATED accounting packets

Nasser Heidari nasser at rasana.net
Tue Nov 17 15:42:38 CET 2015


Thanks for your helpful point. I'm using Cisco NAS (Cisco ASR and Cisco 7200 
series.)


-----Original Message-----
From: Freeradius-Users 
[mailto:freeradius-users-bounces+nasser=rasana.net at lists.freeradius.org] On 
Behalf Of Vijay S
Sent: Tuesday, November 17, 2015 5:45 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Detecting RELATED accounting packets

Hi Nasser
It would have been helpful if you mentioned what NAS you are using.

Regards
Vijay A.

On Tuesday, November 17, 2015, Nasser Heidari <nasser at rasana.net> wrote:

> Hi,
>
> In my current environment I'm using Radius Proxy. As a new requirement
> I want to allow all users whom rejected by Proxy to connect to
> Network, but put them in walled garden and let them to access only specified 
> resources.
> Also when they get connected I should store their IP, Mac, NAS
> information which exist in accounting packet.
>
> I want to create virtual server on radius proxy and handle all
> REJECTED users with this. Problem is, there isn't any relation between
> authentication and accounting packets so I don't know which accounting
> packets are related to REJECTED users to forward them to virtual
> server.
>
> I have two Ideas which may help me to solve this issue:
> 1- Store POSTAUTH message in DB and then when I receive accounting
> packets, in preacct stage lookup user's info using (mac+nas+nas-port)
> in POSTAUTH DB and then decide to forward packet to PROXY or Virtual server.
> 2- When I'm sending access-accept, send another attribute to NAS
> (which is Cisco), and NAS should include this special attribute in all
> accounting packets of REJECTED users so using this I can seprate users
> and send correct accounting info to PROXY or virtual server. (Trying
> to use a kind of marking method, which I'm not sure it's possible).
>
> I would be thankful if you kindly share your Ideas about this problem
> and other possible methods to solve it.
>
> Kind Regards,
> Nasser
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list