0

How can Implement accounting on a unix system using pam_radius ? pam_radius configuration is easy for authentication.

But I confused to find a way for accounting.

In accounting we send some AVP's to 1813 port of radius server. However how can I do this method on pam_radius ?

For example I have following config on /etc/pam.d/radius :

auth        sufficient      pam_radius_auth.so
account     sufficient      pam_radius_auth.so
session     sufficient      pam_radius_auth.so
password    sufficient      pam_radius_auth.so

And test my config with pamtester :

pamtester radius ali authenticate
Password: 
pamtester: successfully authenticated

Radius server already running and authentication was successful.

But where is accounting on pam_radius module ?

Improve this question

2 Answers 2

Reset to default
0

Accounting is usually the job of the 'session' PAM type. It is the only type that is invoked at login and logout, and there are separate PAM calls for Accounting-Start and Accounting-Stop:

pamtester radius ali open_session close_session

(The 'session' calls are invoked even for logins that aren't password-based, such as SSH public-key auth, which of course cannot go through 'authenticate' as there's no password to be given.)

Note that despite its name, the 'account' type is not for RADIUS accounting – it is used for authorization (account validation), i.e. checking whether the account is allowed to log in.

Improve this answer
0

Perhaps a bit late, but I came across this question when attempting to diagnose a similar problem.

It turns out, when the RADIUS PAM module attempts to send a packet, if no specific port is configured in the pam_radius server configuration, it looks the port up by name in /etc/services.

  • For authentication, it looks for the name radius.
  • For accounting, it looks for the name radacct.

However, on my system, the entry in /etc/services is actually radius-acct. I am compiling my own so just patched this string to match my system.

One other option is to be sure to specify the port in the server configuration for pam_radius. If given a numeric port, the module treats that as the radius port and increments it by one to derive the accounting port. So, if you explicitly set :1812 the accounting packets will go to port 1813 as desired.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.