Date: 16 Aug 2001 17:59:00 +0300 From: "Adrian Pavlykevych" <pam@polynet.lviv.ua> To: freebsd-isp@freebsd.org Subject: Re: RADIUS Accounting with SQUID Message-ID: <20010816175859.E528@polynet.lviv.ua> In-Reply-To: <20010816141325.C19104@jake.akitanet.co.uk>; from paul@akita.co.uk on Thu, Aug 16, 2001 at 02:13:26PM %2B0100 References: <997919908.1446.1202.camel@localhost> <20010815094331.B12922@jake.akitanet.co.uk> <997984620.1446.2253.camel@localhost> <20010816141325.C19104@jake.akitanet.co.uk>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thu, Aug 16, 2001 at 02:13:26PM +0100, Paul Robinson wrote: > On Aug 16, Andrew Reid <andrew.reid@plug.cx> wrote: > > I've not had much to do with RADIUS, but I know that it provides some > > accounting functionality. I thought that the two (SQUID and RADIUS) > > could be mushed together somehow to provide a slightly more workable > > solution to Internet Quota. > > Well. Hmph. OK, this might be quite awkward. The only way I can think of > getting an Accounting-Start is with munging some sort of proxy > authentication. However, you will get a start saying 'this kid has just > started' but will get no more further information until they > de-authenticate, or log-off, thereby causing an accounting-stop which > contains all the information like how long they were logged in for, amount > of data moved, etc. This is because RADIUS is meant for dial-up work - the > fact that people have just managed to make it work elsewhere, particularly > for authentication doesn't mean to say it's the best way to handle this sort > of thing. Well, it depends. Squid has no other notion of user session as HTTP sessions (every request or, in case of HTTP 1.1 persistant connection, several requests). So, user authentication is done on per connection basis (modulo caching). If we cloud get Squid to call function on every disconnect (same as access log entry is written), we could get nice sequence of RADIUS accounting Start and Stop packets. > There is a need for this sort of stuff, but in an ISP context, you're going > to be able to get it off the RADIUS accounting from the dial-up port. In > this context there is a clear start and end to a session. In the situation > you're talking about, we're talking more 'hot-desking', and users may share > machines, or the end of a session might not be as easily visible to the > proxy. You don't have any long living session in Squid, see above. Problems with "hot-desking" are organizational - same as someone going away from logged in computer or terminal, and should be handled as such (e.g. administratively). Besides, if someone is sloppy or "kind" enough to let others eat his share of network resources, it is his fault and problem. Regards, -- Adrian Pavlykevych email: <pam@polynet.lviv.ua> System Administrator phone/fax: +380 (322) 742041 Lviv Polytechnic National University [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjt737MACgkQdWQndLibxtDibgCgt7zrbDImrlUkHIfFEJ1xJMdf guEAoI3TQVfllDPRZZ0hpaKT2mHV9Cz8 =CbCZ -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816175859.E528>