Working with data used at authentication time during accounting

Alan DeKok aland at deployingradius.com
Mon Mar 15 22:17:07 CET 2021


On Mar 15, 2021, at 4:16 PM, Marki <jm+freeradiususer at roth.lu> wrote:
> During authentication/authorization Radius queries our backend for validity of the user (exec modules),

  That can be slow.  But if it works...

> which return several response attributes to Radius and in consequence to the NAS.
> 
> Now, if possible, I would like to re-use some of that information at accounting stage. The thing is that I'm proxying the NAS' accounting packets to another firewall for SSO access, which also requires that information. The NAS doesn't remember the custom attributes from authentication response and doesn't include them in the accounting request. Probably, it doesn't have or need to. Still, I have to add them back in somehow .

  Use the "Class" attribute.   You send it in the Access-Accept, and the NAS is supposed to include it in the Accounting-Request packets for that session.

> Maybe there's no magic here which I'll gladly accept. :) I thought that since the server seems to know during challenge-response at authentication time which session is which, there may be a way here too. Don't hang me if that's not the case and these things are unrelated.

  They are largely unrelated.  :(

> I see that the NAS transmits an audit-session-id which is identical in both the authentication and accounting packets. Maybe I could leverage that. But still both worlds (authentication/accounting) would somehow need to share some data.

  I presume you mean "Acct-Session-Id".  And if the NAS sends that in Access-Request packets, that's very good.  It means you can leverage that.

  The way to share data is in a database, or a local cache.  You can use the "cache" module for this.  It's a little opaque, but it does the job.  The idea is:

* set up an in-memory cache (rbtree)
* update mods-available/cache with the list of attributes you want to cache
* in post-auth, set &control:Cache-Merge = yes, and run the "cache" module
* in "preacct", set &control:Cache-Read-Only = yes, and run the "cache" module

  Alan DeKok.




More information about the Freeradius-Users mailing list