Accounting Packets and Anonymous Identity
Phil Mayers
p.mayers at imperial.ac.uk
Sun Feb 5 14:10:33 CET 2017
As a couple of people have noted, if the NAS supports it you can (in
order of preference):
1. Return User-Name in Access-Accept which a compliant NAS will then
copy to Accounting-Requests
2. Abuse Class in Access-Accept e.g. set it to "user=<name>" then
extract that in preacct{} and rewrite the received username in the
accounting packets
3. If the NAS sends Acct-Session-Id in Access-Requests, cache or store
these in a DB, then do a cache/SQL lookup in preacct{} to find the
username from authentication, and rewrite the accounting. You could hack
this with NAS-IP-Address & Calling-Station-Id if you're really desperate
and the Acct-Session-Id isn't present in Access-Request.
If none of these options are available, then you will need to perform
offline or near-realtime analysis of your accounting to match auth to
acct sessions and discover the real username.
More information about the Freeradius-Users
mailing list