Dropping RADIUS accounting packets based upon NAS IP Address
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Jan 5 17:19:19 CET 2018
Cool!
Many thanks
A
On 5 January 2018 at 15:39, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 5, 2018, at 9:30 AM, Alex Sharaz via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I was just testing our new Grimsby connection ( remote controller pushes
> > auth and accounting packets down a RADSEC tunnel to our Tier 1 eduroam
> > servers) when I noticed that in addition to accounting packets relating
> to
> > the eduroam SSID I was seeing accounting packets from other devices which
> > had different NAS-IP-Address IP addresses to the one I was expecting.
> >
> > I know its their problem to fix but is there any way in FR 3.0.15 I can
> > drop packets with a NAS IP Address != the one I should be seeing?
>
> That's generally not a good idea. The NAS will not see responses from
> the RADIUS server, and think that the RADIUS is down.
>
> > We dump accounting / auth info into a postgres db and into our logstash
> > service and I'd rather not have accounting info I shouldn't be seeing in
> > there ...
>
> preacct {
> if (NAS-IP-Address != "good") {
> ok
> return
> }
>
> ... everything else ...
>
> }
>
> And then do the same at the top of the "accounting" section. This will
> cause the server to ACK the bad accounting packets. But no further
> processing will take place.
>
> Alan DeKok.
>
>
More information about the Freeradius-Users
mailing list