Re: [RADIATOR] Hopefully a simple question regarding accounting

2016-05-16 Thread Hugh Irvine 

Hello Martin -

Instead of IgnoreAccounting, you should use NoForwardAccounting, otherwise the 
original request will not be acknowledged.

See the following section in the Radiator 4.16 reference manual (“doc/ref.pdf”).


• 5.31.17  NoForwardAccounting

Stops AuthBy RADIUS forwarding Accounting-Requests. They are ACCEPTED, but no 
further action is taken with them. This is different in meaning to 
IgnoreAccounting, which IGNOREs them.

# Just ACCEPT Accounting-Requests, don’t forward them 

NoForwardAccounting


regards

Hugh


> On 16 May 2016, at 20:19, Martin Burton  wrote:
> 
> Hi Folks,
> 
> The Eduroam Fedaration are on the verge of implementing a
> "no-accounting" border between Organisational and National Proxies and
> participants are being asked to stop sending accounting packets upstream.
> 
> Currently, I have the following config that forwards to the NRPS:
> 
> 
> 
>Identifier NRPS
>FailureBackoffTime 10
>RetryTimeout 5
>Retries 1
>UseExtendedIds
>AllowInRequest  User-Name, Reply-Message, State, Class, \
>Message-Authenticator, Proxy-State, \
>EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
>Calling-Station-Id, Acct-Status-Type,
> Acct-Session-ID
> 
>AllowInReplyUser-Name, Reply-Message, State, Class, \
>Message-Authenticator, Proxy-State, \
>EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
>Calling-Station-Id, Acct-Status-Type,
> Acct-Session-ID, Operator-Name
> 
> 
> 
>AddToRequest Operator-Name="1sanger.ac.uk"
> #
> # Include the radius server specific NRPS host configuration
> #
>include %D/%h.nrps
> 
>AutoMPPEKeys
> 
> 
> 
>Identifier OUT-NRPS
>AcctLogFileName %L/default.acct.log
>AuthByPolicy ContinueWhileIgnore
>AuthLog EduroamLog
>AuthBy AuthLOG
>AuthBy NRPS
> 
> 
> 
> where %D/%h.nrps  simply contains the  declarations for the upstreams.
> 
> 
> If I want to ensure that no accounting packets are sent upstream is it
> as simple as adding "IgnoreAccounting" the AuthBy:
> 
> 
>   Identifier NRPS
> 
>   IgnoreAccounting
>   
>   FailureBackoffTime 10
>   RetryTimeout 5
>   Retries 1
> 
> .
> .
> .
> 
> 
> Just seems too simple!
> 
> 
> Thanks,
> 
> Martin.
> 
> -- 
> Martin Burton
> Principal Systems Administrator\\\|||///
> Infrastructure Team   \\  ^ ^  //
> Wellcome Trust Sanger Institute(  6 6  )
> -oOOo-(_)-oOOo---
> t: +44 (0)1223 496945 http://www.sanger.ac.uk
> Extreme Networks Specialist:  a178003uG1BAAU
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Hopefully a simple question regarding accounting

2016-05-16 Thread Martin Burton 
Hi Folks,

The Eduroam Fedaration are on the verge of implementing a
"no-accounting" border between Organisational and National Proxies and
participants are being asked to stop sending accounting packets upstream.

Currently, I have the following config that forwards to the NRPS:



Identifier NRPS
FailureBackoffTime 10
RetryTimeout 5
Retries 1
UseExtendedIds
AllowInRequest  User-Name, Reply-Message, State, Class, \
Message-Authenticator, Proxy-State, \
EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
Calling-Station-Id, Acct-Status-Type,
Acct-Session-ID

AllowInReplyUser-Name, Reply-Message, State, Class, \
Message-Authenticator, Proxy-State, \
EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \
Calling-Station-Id, Acct-Status-Type,
Acct-Session-ID, Operator-Name



AddToRequest Operator-Name="1sanger.ac.uk"
#
# Include the radius server specific NRPS host configuration
#
include %D/%h.nrps

AutoMPPEKeys



Identifier OUT-NRPS
AcctLogFileName %L/default.acct.log
AuthByPolicy ContinueWhileIgnore
AuthLog EduroamLog
AuthBy AuthLOG
AuthBy NRPS



where %D/%h.nrps  simply contains the  declarations for the upstreams.


If I want to ensure that no accounting packets are sent upstream is it
as simple as adding "IgnoreAccounting" the AuthBy:


Identifier NRPS

IgnoreAccounting

FailureBackoffTime 10
RetryTimeout 5
Retries 1

.
.
.


Just seems too simple!


Thanks,

Martin.

-- 
Martin Burton
Principal Systems Administrator\\\|||///
Infrastructure Team   \\  ^ ^  //
Wellcome Trust Sanger Institute(  6 6  )
-oOOo-(_)-oOOo---
t: +44 (0)1223 496945 http://www.sanger.ac.uk
Extreme Networks Specialist:  a178003uG1BAAU



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator