Radacct Reused ?

Oscar oscar at jofre.com
Sun Apr 21 22:31:24 CEST 2019



   	#  If we have a class attribute in the format
   	#  'auth_id:[0-9a-f]{32}' it'll have a local value
   	#  (defined by insert_acct_class), this ensures
   	#  uniqueness and suitability.
   	#  We could just use the Class attribute as
   	#  Acct-Unique-Session-Id, but this may cause problems
   	#  with NAS that carry Class values across between
   	#  multiple linked sessions.  So we rehash class with
   	#  Acct-Session-ID to provide a truely unique session
   	#  identifier.
   	#  Using a Class/Session-ID combination is more robust
  	#  than using elements in the Accounting-Request,
    	#  which may be subject to change, such as
    	#  NAS-IP-Address, Client-IP-Address and
    	#  NAS-Port-ID/NAS-Port.
    	#  This policy should ensure that session data is not
    	#  affected if NAS IP addresses change, or the client
    	#  roams to a different 'port' whilst maintaining its
    	#  initial authentication session (Common in a
    	#  wireless environment).

Is Class an attribute that should come from the NAS ?

I'm using mikroitk as a NAS and I think/hope is not garbage.

This is what it is sending as accounting

	22:14:40 radius,debug sending 3f:41a8 to 
	22:14:40 radius,debug,packet sending Accounting-Request with id 14 to 
	22:14:40 radius,debug,packet     Signature = 0x72ab4a619fdecb98eeaefe7322abe9fe 
	22:14:40 radius,debug,packet     Acct-Status-Type = 3 
	22:14:40 radius,debug,packet     NAS-Port-Type = 19 
	22:14:40 radius,debug,packet     Calling-Station-Id = "30:07:4D:50:64:AA" 
	22:14:40 radius,debug,packet     Called-Station-Id = "8D0008D14A5D" 
	22:14:40 radius,debug,packet     NAS-Port-Id = "bridge-hs" 
	22:14:40 radius,debug,packet     User-Name = "SwB_3094873_ins_6971_30:07:4D:50:64:AA" 
	22:14:40 radius,debug,packet     NAS-Port = 2148532224 
	22:14:40 radius,debug,packet     Acct-Session-Id = "80100000" 
	22:14:40 radius,debug,packet     Framed-IP-Address = 
	22:14:40 radius,debug,packet     MT-Host-IP = 
	22:14:40 radius,debug,packet     Event-Timestamp = 1555877680 
	22:14:40 radius,debug,packet     Acct-Input-Octets = 381336 
	22:14:40 radius,debug,packet     Acct-Output-Octets = 2678031 
	22:14:40 radius,debug,packet     Acct-Input-Gigawords = 0 
	22:14:40 radius,debug,packet     Acct-Output-Gigawords = 0 
	22:14:40 radius,debug,packet     Acct-Input-Packets = 2751 
	22:14:40 radius,debug,packet     Acct-Output-Packets = 3153 
	22:14:40 radius,debug,packet     Acct-Session-Time = 3959 
	22:14:40 radius,debug,packet     NAS-Identifier = "SERVER" 
	22:14:40 radius,debug,packet     Acct-Delay-Time = 0 
	22:14:40 radius,debug,packet     NAS-IP-Address = 
	22:14:40 radius,debug,packet received Accounting-Response with id 14 from 
	22:14:40 radius,debug,packet     Signature = 0x472ef1a6d674428935cc4b732b2f8363 
	22:14:40 radius,debug received reply for 3f:41a8 
	22:14:40 radius,debug request 3f:41a8 processed 
	22:15:34 system,info,account user admin logged in from via telnet

Definitly I think Acct-Session-Id is not unique id but as I've seen on mikrotik manual radius manual: https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client

	NAS-Identifier - router identity
	NAS-IP-Address - IP address of the router itself
	NAS-Port - unique session ID
	Acct-Session-Id - unique session ID

Seems than Nas-Port + Acc-Session-id (  2148532224 + 80100000 ) should be unique.

I've sent an email to mikrotik to tell them that Acc-Session-id is not unique and know what they say (will share here if it helpful)

So at that point I think, not sure yet, need to know if my radius is using class or not:

If ussing class it would be solved modifying:

	&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"


	&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}, %{NAS-Port} }"

That should create in my case a really unique Acct-Unique-Session-Id

Because if not using class:

                &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"

I think Acct-Unique-Session-Id will comes unique due NAS-Port is in md5 hash

Is that correct ?

I'm not going to change anything yet.

Will wait to mikrotik answer.

Thanks a agin for the suport I appreciate it.


-----Mensaje original-----
De: Freeradius-Users <freeradius-users-bounces+oscar=jofre.com at lists.freeradius.org> En nombre de Alan DeKok
Enviado el: domingo, 21 de abril de 2019 1:50
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Asunto: Re: Radacct Reused ?

On Apr 19, 2019, at 6:40 PM, Oscar <oscar at jofre.com> wrote:
> I've serch and found the pice of code that I think creates the unique id


> I'm trying to understand why acctuniqueid=6cf28675aa2c38a046d7f46f65e36e72 has been created again

  Because all of the values used to create it are the same.

> and can't follow this code.
> Where and what is the class I gess {%1} ? hex:&Class ? string:&Class ?

  See "man unlang".

> I think if in my case we go throw:
>                        &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
> Then unique id can be reused because user-name and rest of values can be the same. 


> Where comes the Acct-Session-ID ?

  The NAS sends it.  If you read the debug output, you will see this.

> Sorry for too many questons ... but try to figure out how it works.

  The short answer for the problem here is that the NAS is re-using values for sessions.  It's not supposed to do that.  The Acct-Session-Id is *supposed* to be mostly unique.

  If the NAS is this bad, then no amount of poking the FR config will fix it.  There is literally nothing you can do to stop the problem of re-used sessions.  You have to get a NAS which implements RADIUS properly.  i.e. one that isn't garbage.

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list