bug-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnu-radius] Accounting trail in a proxy setup

From: Maurice Makaay
Subject: Re: [Bug-gnu-radius] Accounting trail in a proxy setup
Date: Wed, 21 Jul 2004 14:44:10 +0200 
Hi Sergey,

> 2) If everything goes OK, the remote party responds with an
> Accounting-Accept packet. Your server receives it, looks up
> the original record in the queue and then processes it.
> See radius.c:489-508.

This was one of the scenario's I had in mind. The reason for
not logging the detail record is _for sure_ that the remote party does
not return an Accounting-Accept packet. But then I have a new
problem (which is not your problem). We will have to be able to bill
the customer for each hour that our infrastructure is used. We do this
based on our accounting records. In case the customer shuts down their
radius accounting server, they will have internet for free, because
we do not have any accounting records anymore ;-)

So proxying the radius accounting straight away is no solution for us.
Simple forwarding would be ideal for this. But if I enable forwarding,
the customer will get all our accounting records. That would, of course,
not be accepted by our management ;-) An extra option in the realms file 
could be useful for this:

    realm     1.2.3.4:1812    fwacct=1.2.3.4:1813

or even simpler as a sort of third option for acct / noacct:

    realm     1.2.3.4:1812    fwacct

Please consider adding this feature. If you want me to write some 
proposal code for this, please let me know.

In the meanwhile, I think I should do something like the following to
solve our problem:

   -----OUR RADIUS----->local detail accounting
         |    |
     auth|    |acct
    proxy|    |forwarding
         |    v
         |    OUR ACCOUNTING RADIUS
         |    |acct
         |    |proxy
         v    v
         CUSTOMER RADIUS

So we do not proxy the accounting records to the customer. Instead, we log
them locally in our detail files. Next to that, we forward the accounting
to yet another radius server in our network, which will have to proxy the
accounting for the customer to the customer radius (will that work? proxying
after forwarding?). Accounting which is not for the customer can simply
be dropped by the accounting radius server. This way, we will never loose 
accounting packages ourselves. And that's a good thing, since we want to 
have the truth on dial-in sessions.

> > Or, of course, wake me up again like you have done some times before ;-)
 
> Here it goes :^) 

* Maurice awakes bathing in sweat, after having a horrible nightmare *


Thanks,

Maurice Makaay
reply via email to
[Prev in Thread] Current Thread [Next in Thread]