Date: Thu, 16 Aug 2001 16:31:08 +0100 From: Paul Robinson <paul@akita.co.uk> To: Adrian Pavlykevych <pam@polynet.lviv.ua> Cc: freebsd-isp@freebsd.org Subject: Re: RADIUS Accounting with SQUID Message-ID: <20010816163108.A19902@jake.akitanet.co.uk> In-Reply-To: <20010816175859.E528@polynet.lviv.ua>; from pam@polynet.lviv.ua on Thu, Aug 16, 2001 at 05:59:00PM %2B0300 References: <997919908.1446.1202.camel@localhost> <20010815094331.B12922@jake.akitanet.co.uk> <997984620.1446.2253.camel@localhost> <20010816141325.C19104@jake.akitanet.co.uk> <20010816175859.E528@polynet.lviv.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 16, Adrian Pavlykevych <pam@polynet.lviv.ua> wrote:
Note 1: Please set the wrap on your mailer properly - this one came in with
all your paragraphs on the same line...
> Well, it depends. Squid has no other notion of user session as HTTP
> sessions (every request or, in case of HTTP 1.1 persistant connection,
> several requests). So, user authentication is done on per connection basis
> (modulo caching). If we cloud get Squid to call function on every=20
> disconnect (same as access log entry is written), we could get nice
> sequence of RADIUS accounting Start and Stop packets.
Ummm... RADIUS really wasn't meant for that sort of (ab)use. You're going to
get a lot of UDP traffic flying over your network if you do this, but if you
think you can scale it OK - so that you generate several hundred bytes of
UDP traffic on _every_single_ HTTP request - then good luck to you.
> > There is a need for this sort of stuff, but in an ISP context, you're g=
oing
> > to be able to get it off the RADIUS accounting from the dial-up port. In
> > this context there is a clear start and end to a session. In the situat=
ion
> > you're talking about, we're talking more 'hot-desking', and users may s=
hare
> > machines, or the end of a session might not be as easily visible to the
> > proxy.
=20
> You don't have any long living session in Squid, see above. Problems with
> "hot-desking" are organizational - same as someone going away from logged
> in computer or terminal, and should be handled as such=20
> (e.g. administratively). Besides, if someone is sloppy or "kind" enough to
> let others eat his share of network resources, it is his fault and=20
> problem.
I think the point I was trying to make seems to have skipped well over your
head on this one - I know HTTP and Squid has no long sessions - that's my
point. That's _why_ RADIUS is probably a bad choice for this. RADIUS stands
for Remote Authentication Dial-In User Service and the name in itself tells
you what it is best at handling - 'long' user sessions that last at least a
few seconds, probably 30 or more (30seconds is a long time at this level).
You are talking about transactions that last milliseconds. I would STRONGLY
advise you read very carefully RFC2866 and maybe even preceeding RADIUS
Accounting RFCs to make sure you really know what you're doing.
Of course, if you want to implement this, nobody is going to stop you. I
just don't think I'd want it on _my_ network... :-)
There are other projects underway it would seem, as well, to actually handle
what you're talking about in a far easier manner through log file parsing
and the like.=20
--=20
Paul Robinson ,---------------------------------------
Technical Director @ Akita | A computer lets you make more mistakes
PO Box 604, Manchester, M60 3PR | than any other invention with the=20
T: +44 (0) 161 228 6388 (F:6389)| possible exceptions of handguns and
| Tequila - Mitch Ratcliffe
`-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816163108.A19902>