7. Accounting

By default GNU Radius supports three types of accounting. Any additional accounting methods can be defined using extension mechanisms.

The accounting methods are applied to a request in a following sequence:

1. System accounting
2. Detailed request accounting
3. sql accounting
4. Custom accounting

Any method can be enabled or disabled. Thus, you can even disable them all, thereby disabling accounting altogether.

Notice, that the multiple login checking scheme relies on accounting being enabled. By default it uses system accounting, but can also be configured to use sql accounting. So, if you disable system accounting and still wish to use reliable multiple login checking, make sure you configure radiusd to use sql for this purpose. See section Multiple Login Checking, for the detailed information about the subject.

If any accounting type in this sequence fails, the accounting is deemed to fail and all subsequent methods are not invoked.

7.1 System Accounting

Radius keeps files ‘radutmp’ and ‘radwtmp’ in its logging directory and stores the accounting data there. The utilities radwho and radlast can be used to list information about users' sessions.

This accounting method is enabled by default. To disable it, use system no statement in ‘raddb/config’. See section acct statement, for more information. Please notice that disabling this authentication method will disable multiple login checking as well. Refer to Multiple Login Checking, for the detailed discussion of this.

7.2 Detailed Request Accounting

Radius stores the detailed information about accounting packets it receives in files ‘radacct/nasname/detail’ (see section Naming Conventions), where nasname is replaced with the short name of the NAS from the ‘raddb/naslist’ file (see section NAS List — ‘raddb/naslist’).

By default, this accounting type is always enabled, provided that ‘radacct’ directory exists and is writable (see section Naming Conventions). To turn the detailed accounting off, use the detail statement in the ‘config’ file. For more information about it, see acct statement.

The accounting detail files consist of a record for each accounting request. A record includes the timestamp and detailed dump of attributes from the packet, e.g.:

Fri Dec 15 18:00:24 2000
        Acct-Session-Id = "2193976896017"
        User-Name = "e2"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 11.10.10.125
        Calling-Station-Id = "+15678023561"
        NAS-IP-Address = 11.10.10.11
        NAS-Port-Id = 8
        Acct-Delay-Time = 0
        Timestamp = 976896024
        Request-Authenticator = Unverified

Fri Dec 15 18:32:09 2000
        Acct-Session-Id = "2193976896017"
        User-Name = "e2"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Acct-Output-Octets = 5382
        Acct-Input-Octets = 7761
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 11.10.10.125
        Acct-Session-Time = 1905
        NAS-IP-Address = 11.10.10.11
        NAS-Port-Id = 8
        Acct-Delay-Time = 0
        Timestamp = 976897929
        Request-Authenticator = Unverified

Notice that radiusd always adds two pseudo-attributes to detailed listings. Attribute Timestamp shows the UNIX timestamp when radiusd has received the request. Attribute Request-Authenticator shows the result of checking the request authenticator. Its possible values are:

Verified

The authenticator check was successful.

Unverified

The authenticator check failed. This could mean that either the request was forged or that the remote NAS and radiusd do not agree on the value of the shared secret.

None

The authenticator check is not applicable for this request type.

Notice also that the so-called internal attributes by default are not logged in the detail file. Internal attributes are those whose decimal value is greater than 255. Such attributes are used internally by radius and cannot be transferred via RADIUS protocol. Examples of such attributes are Fall-Through, Hint and Huntgroup-Name. See section Radius Internal Attributes, for detailed listing of all internal attributes. The special attribute flag l (lower-case ell) may be used to force logging of such attributes (see section ATTRIBUTE statement).

7.3 sql Accounting

The sql accounting method is enabled when Radius is configured with ‘--enable-sql’ option and the ‘sqlserver’ file in its configuration directory is properly set up (see section SQL Configuration — ‘raddb/sqlserver’).

This version of GNU Radius (1.6) supports MySQL and PostgreSQL servers. It also supports odbc, which can be used to build interfaces to another database management systems.

With this accounting method enabled, radiusd will store the information about accounting requests in the configured sql database. The accounting method is fully configurable: the Radius administrator defines both the types of requests to be accounted and the information to be stored into the database (see section SQL Configuration — ‘raddb/sqlserver’).

7.4 Defining Custom Accounting Types

If the built-in accounting methods do not meet your requirements, you can implement your own. There are two ways of doing so:

1. Using a Guile procedure.
2. Using an external program

To use a Guile procedure for accounting, the name of the procedure must be specified as a value to the Scheme-Acct-Procedure attribute in the RHS list of a ‘hints’ entry, e.g.:

DEFAULT NULL Scheme-Acct-Procedure = "my-acct"

For a detailed description of Scheme accounting procedures, see section Accounting with Scheme.

Another way of implementing your own accounting method is using an external program. This is less effective than the methods described above, but may be necessary sometimes. To invoke the program, use the following statement in the LHS of the ‘hints’ entry:

Acct-Ext-Program = "progname args"

The progname must be the full path to the program, and args any arguments it needs. The usual substitutions may be used in args to pass any request attributes to the program (see section Macro Substitution).

For a detailed description of Acct-Ext-Program, see section Acct-Ext-Program.

This document was generated by Sergey Poznyakoff on December, 6 2008 using texi2html 1.78.