FR with MySQL. Proxying and repeated entries

Paolo Rotela paolo.rotela at bluetelecom.com
Fri Aug 19 20:16:32 CEST 2005


Hi. Sorry if this is a dumb thing, but I've searched a lot and din't find 
any solution to this problem.

I'm using freeradius (versions 0.9.3, 1.0.0 and 1.0.4) with MySQL 3.23 and 
4.1.7 (different mappings between FR and My)

I have some clients to wich I'm proxying requests to some realms. All works 
OK but there is one client wich is using Cisco Secure ACS, wich is giving me 
some headaches.

With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends 
an Accounting-Request to that realm and I proxy it to the home server, it 
sends me an Accounting-Response with an (I think) irregular attribute: 
Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the 
RFC for accounting packets.

So, my FR, discards it as supposed thus leading my NAS to re-send accounting 
request a lot of times until it gives up.

This leads me to three main questions:

1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT 
permitted in Accounting-* packets?

2) Each time the NAS re-sends packets, FR handles it as it were a new 
packet, for a new call/connection. This way, I have each call for this 
specific realm n times, with n being the times I configure the NAS to 
re-send the packet. Every time the NAS re-sends an Accounting-start, the SQL 
query in sql.conf says "INSERT blah blah blah", wich leads to a new record 
be inserted into the database, and every time the NAS re-sends an 
Accounting-stop, the SQL query says "UPDATE blah blah blah", so it leads to 
calls being recorded many times. The question is ¿is there any way to solve 
this through configuration, and I didn't find it because I'm a dumb? ¿Or I 
have to "touch" the code for the radius to verify if the packet is a 
repeated one or not?

3) Is there any known bug or propietary feature from Cisco wich causes this 
incompatibility thing? I've searched about it and didn't find anything.

I know that "3" is not at all about freeradius, but perhaps some of you came 
accross this at any time.

Any help will be very appreciated.




More information about the Freeradius-Users mailing list