802.1X wireless, FR, and accounting...

sth sth at noiseplant.com
Wed Jan 14 00:11:41 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi folks,

I've deployed FR2 to service 802.1X wireless authentication (Cisco LWAPP
infrastructure), and it's working splendidly from the users'
perspective. Accounting, however, is acting weirdly, and I have yet to
determine why. 'radlast' gives output like this:

gsmith   029:CvbP6g   10.1.2.3         Tue Jan 13 17:48 - 17:54  (00:06)
mjones   029:CvbP9A   10.2.8.9         Tue Jan 13 17:25 - 17:34  (00:09)
mjones   029:CvbP9A   192.168.2.2      Tue Jan 13 17:25 - 17:25  (00:00)
bblack   029:CvbP9A   10.1.1.9         Tue Jan 13 17:24 - 17:25  (00:01)
cwhite   029:CvbP6g   10.1.2.4         Tue Jan 13 17:23 - 17:24  (00:00)
cwhite   029:CvbP6g   10.1.2.4         Tue Jan 13 17:23 - 17:23  (00:00)
cwhite   029:CvbP6g   10.250.59.255    Tue Jan 13 17:23 - 17:23  (00:00)
cwhite   029:CvbP6g   10.250.59.255    Tue Jan 13 17:23 - 17:23  (00:00)
mbrown   029:CvbP9A   10.9.8.7         Tue Jan 13 17:23 - 17:24  (00:00)
mbrown   029:CvbP9A   192.168.0.6      Tue Jan 13 17:23 - 17:23  (00:00)
...

(note the very brief session lengths)

'radwho' reacts accordingly, only listing those users whose very brief
window of "accounting existence" has not yet closed.

If you've heard this tune before, please feel free to send a link to the
appropriate mailing list thread or wiki article.

The LWAPP controllers send accounting start packets to the RADIUS server
as expected, but shortly thereafter, send accounting stop messages. I
fell asleep part of the way through RFC3580, so I humbly ask the
experts: is this "correct" behavior, consistent with the protocol (or at
least, most implementations of the protocol)? Do most 802.1X
authenticators not wait for actual port closure to send an accounting
stop message?

In a thread from back in June of 2008, (Vol 38, Issues 116, 121, and
122: "radacct/radutmp out of sync"), Alan refers to radutmp as a hack,
and recommends moving to an SQL database. Is this the way I should be
going? People around here like 'radwho', but I'm happy to write a script
called 'radwho' that performs an SQL query. And if this is a known
issue, is there a widely-accepted method for addressing the lack of
coincidence between the accounting stop messages and actual closure of
the port, or is everyone left to make their own assumptions about that?


Many thanks,

- -sth

sam hooker|http://www.noiseplant.com|i am between the internet
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkltH6sACgkQX8KByLv3aQ3s2ACeOfKWRSa9nZ3bSwebBcitcrL8
VqoAnjA8DoRUjwBUqkwMBs7qOiDmhGOd
=SXac
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Freeradius-Users mailing list