"Fossies" - the Fresh Open Source Software Archive

Member "freeradius-server-3.0.23/raddb/policy.d/accounting" (10 Jun 2021, 4650 Bytes) of package /linux/misc/freeradius-server-3.0.23.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "accounting": 3.0.22_vs_3.0.23.

    1 #  We check for this prefix to determine whether the class value was
    2 #  generated by this server.  It should be changed so that it is
    3 #  globally unique.
    4 class_value_prefix = 'ai:'
    5 
    6 #
    7 #	Replacement for the old rlm_acct_unique module
    8 #
    9 acct_unique {
   10 	#
   11 	#  If we have a class attribute in the format
   12 	#  'auth_id:[0-9a-f]{32}' it'll have a local value
   13 	#  (defined by insert_acct_class), this ensures
   14 	#  uniqueness and suitability.
   15 	#
   16 	#  We could just use the Class attribute as
   17 	#  Acct-Unique-Session-Id, but this may cause problems
   18 	#  with NAS that carry Class values across between
   19 	#  multiple linked sessions.  So we rehash class with
   20 	#  Acct-Session-ID to provide a truely unique session
   21 	#  identifier.
   22 	#
   23 	#  Using a Class/Session-ID combination is more robust
   24 	#  than using elements in the Accounting-Request,
   25 	#  which may be subject to change, such as
   26 	#  NAS-IP-Address, Client-IP-Address and
   27 	#  NAS-Port-ID/NAS-Port.
   28 	#
   29 	#  This policy should ensure that session data is not
   30 	#  affected if NAS IP addresses change, or the client
   31 	#  roams to a different 'port' whilst maintaining its
   32 	#  initial authentication session (Common in a
   33 	#  wireless environment).
   34 	#
   35 	update request {
   36 	       &Tmp-String-9 := "${policy.class_value_prefix}"
   37 	}
   38 
   39 	if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \
   40 	    ("%{string:&Class}" =~ /^${policy.class_value_prefix}([0-9a-f]{32})/i)) {
   41 		update request {
   42 			&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
   43 		}
   44 	}
   45 
   46 	#
   47 	#  Not All devices respect RFC 2865 when dealing with
   48 	#  the class attribute, so be prepared to use the
   49 	#  older style of hashing scheme if a class attribute
   50 	#  is not included
   51 	#
   52 	else {
   53 		update request {
   54 			&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
   55 		 }
   56 	}
   57 }
   58 
   59 #
   60 #	Insert a (hopefully unique) value into class
   61 #
   62 insert_acct_class {
   63 	update reply {
   64 		&Class = "${policy.class_value_prefix}%{md5:%t,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name},%{session-state:User-Name} }"
   65 	}
   66 }
   67 
   68 #
   69 #	Merges Acct-[Input|Output]-Octets and Acct-[Input|Output]-Gigawords into Acct-[Input|Output]-Octets64
   70 #
   71 #	If the &Attr-Foo doesn't exist, it's value is taken as zero.
   72 #
   73 acct_counters64.preacct {
   74 	update request {
   75 		&Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}"
   76 		&Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}"
   77 	}
   78 }
   79 
   80 #
   81 #  There is a delay between sending the Access-Accept and receiving
   82 #  the corresponding Accounting-Request "start" packet.  This delay
   83 #  can be leveraged by a user to bypass Simultaneous-Use checks.
   84 #
   85 #  The user can start up multiple sessions at the same time.  When
   86 #  that happens, both Simultaneous-Use checks are performed before any
   87 #  Accounting-Request packet is received.  Both Simultaneous-Use
   88 #  checks will result in "no user session" in the radacct table, and
   89 #  both sessions will be allowed.  At some point later in time, the
   90 #  Accounting-Request packets are received.  But by then it's too
   91 #  late.
   92 #
   93 #  The solution is to insert a temporary session into the "radacct"
   94 #  table, during the "post-auth" section.  This is done by
   95 #  uncommenting the "sql_session_start" entry in
   96 #  sites-enabled/default.  Then, reading
   97 #  raddb/mods-config/sql/main/*/queries.conf, and looking for the
   98 #  "sql_session_start" comments.  Follow the instructions there to
   99 #  finalize the configuration.
  100 #
  101 #  The server will then create a temporary entry in "radacct" before
  102 #  it returns the Access-Request.  Any other Access-Request which is
  103 #  received at the same time will then have it's Simultaneous-Use
  104 #  check see that entry, and will be rejected.
  105 #
  106 #  Subsequent Accounting-Request packets for the first session will
  107 #  then UPDATE (not INSERT) the data for the session.
  108 #
  109 #  There is still a small race condition as the Simultaneous-Use
  110 #  checks are not done at the same time as updating radacct.  But the
  111 #  window of opportunity is much smaller.  i.e. milliseconds, instead
  112 #  of seconds.
  113 #
  114 #  This policy can also be used to "bootstrap" accounting sessions.
  115 #  If there is data which is only available in the Access-Request,
  116 #  it can be placed in the accounting table.  Then, when accounting
  117 #  packets are received, they will update the row which contains
  118 #  the session information.
  119 #
  120 sql_session_start.post-auth {
  121 	acct_unique
  122 
  123 	#
  124 	#  The SQL accounting queries need an Acct-Status-Type attribute
  125 	#
  126 	update request {
  127 		Acct-Status-Type := Start
  128 	}
  129 	sql.accounting
  130 }