Re: Does Pam_Radius support Acct-Interim-Interval?

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Re: Does Pam_Radius support Acct-Interim-Interval?

Users mailing list
Hi Alan,

Now I understand the limitations. I noticed that whenever I make a new connection, rather than inserting a new row in Radacct it is updating the existing entry. This makes the accounting useless. Unless I have somewhere a configuration mistake on my part, which I should investigate.

I also noticed the servicetype shows as Authenticate-Only instead of Framed-User.

But as you say I may need to look for something else to get full-featured accounting on the users activity.

Thanks,
Mark

On Aug 4, 2020, at 6:30 AM, Mark Antony via Freeradius-Users <
[freeradius-users at lists.freeradius.org](http://lists.freeradius.org/mailman/listinfo/freeradius-users)
> wrote:
>

I have a question about Pam_Radius plugin and Freeradius. Does it only support authentication?

It supports accounting, but it's not well documented or tested.

>

I'm asking because while authentication seem to work, Acct-Interim-Interval seem to be completely ignored.

Yes.  The module sends RADIUS packets when the PAM framework calls it.  The module does NOT start up any new process or thread to periodically send packets.

  The PAM framework can call the module on open session, and close session.  That's it.  There is no "session still open" capability in PAM.

  If you want full-featured accounting on the users activity, interim updates, etc., then you will have to use something else.  Both PAM and the standard Unix APIs don't support that.

>

post-auth {

>

update reply {

>

Acct-Interim-Interval = 10

>

}

>

}

>

>

For testing purposes I have set it to 10 seconds and I was expecting it to fire update-requests every 10 seconds, but this isn't happening.

No RADIUS NAS on the planet will send accounting packets every 10 seconds.  RFC 2866 suggests a 5 minute minimum on Acct-Interim-Interval.  Most NASes enforce that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Does Pam_Radius support Acct-Interim-Interval?

Alan DeKok-2
On Sep 1, 2020, at 4:27 AM, Mark Antony via Freeradius-Users <[hidden email]> wrote:
> Now I understand the limitations. I noticed that whenever I make a new connection, rather than inserting a new row in Radacct it is updating the existing entry.

  i.e. it sends the same information every time.

> This makes the accounting useless. Unless I have somewhere a configuration mistake on my part, which I should investigate.

  What other information should it send to make each session unique?  Where would the PAM RADIUS module store any state?

  This isn't a matter of pointing out issues.  It's coming up with the technical solutions that will fix them.

> I also noticed the servicetype shows as Authenticate-Only instead of Framed-User.
>
> But as you say I may need to look for something else to get full-featured accounting on the users activity.

  You likely need to use a restricted shell which has accounting / auditing built-in.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html