Radacct Reused ?

Oscar oscar at jofre.com
Fri May 3 17:10:31 CEST 2019 

Hi Alan,

I did ask to mikroitk about my problem and the Acct-Session-Id not beeign uniqe and here is their answer:

>>>	Hello,
>>>	
>>>	RFC does not have strict requirements for Acct-Session-Id parameter.
>>>	
>>>	https://tools.ietf.org/html/rfc2866#section-5.5
>>>	
>>>	In RouterOS, the first two symbols of session ID represent service (PPP, Hotspot, etc.). The next symbol is incremented on each reboot. The last group of symbols is incremented on each new session. This means, that you can not get the same ID for 1 million re-connects on the same boot for the same RADIUS type service.
>>>	
>>>	If you lose session stop message and RADIUS server does still keep the session open, but then receives another session start message, then it must be aware that stop message was lost, close old session and start a new session.
>>>	
>>>	In short none of the systems can maintain unique session ID forever. In most of the systems, you can generate up to 16 million unique IDs. 
>>>	
>>>	Best regards,


I'm just in the middle using both systems freeradius and mikrotik hotspot.

And I'm trying to find a solution to solve the radacct resused.

I see that you also know the difficul of get a real unique id from NAS, even CISCO does something similar and the RFC define a use quite similar than mikrotik does, and tryes to create a stronger unique id freeradius does:

   &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"


But when there any many and many nas with the same behaver as me even this stronger unique id is not enough.


My thought to solve this (I can't even tell recomandation) would be to update this Acct-Unique-Session-Id (acctuniqueid) once the session is closed with a concatenation of its value and for example timestamps of the acctstoptime. That way we will be really sure that this record won't be resused on the future.
Also the ones that use a job to close the Stale sessions can update this acctuniqueid following this "rule".

I don't want to poke the FreeRADIUS configuration I just want to make it stronger as it is trying to be using a contatenation of parameters to create a stronger uniqueid.


Thanks,


-----Mensaje original-----
De: Freeradius-Users <freeradius-users-bounces+oscar=jofre.com at lists.freeradius.org> En nombre de Alan DeKok
Enviado el: lunes, 22 de abril de 2019 14:33
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Asunto: Re: Radacct Reused ?

On Apr 21, 2019, at 4:31 PM, Oscar <oscar at jofre.com> wrote:
> About:

  Copying configuration files to the list isn't helpful.

> Is Class an attribute that should come from the NAS ?

  No.

> I'm using mikroitk as a NAS and I think/hope is not garbage.

  <shrug>  If it's re-using Acct-Session-Id across different sessions, then yes, it's garbage.

> This is what it is sending as accounting
> 
> 	22:14:40 radius,debug sending 3f:41a8 to 18.194.84.153:1813 
> 	22:14:40 radius,debug,packet sending Accounting-Request with id 14 to 18.194.84.153:1813 
> 	22:14:40 radius,debug,packet     Signature = 0x72ab4a619fdecb98eeaefe7322abe9fe 
> 	22:14:40 radius,debug,packet     Acct-Status-Type = 3 
> 	22:14:40 radius,debug,packet     NAS-Port-Type = 19 
> 	22:14:40 radius,debug,packet     Calling-Station-Id = "30:07:4D:50:64:AA" 
> 	22:14:40 radius,debug,packet     Called-Station-Id = "8D0008D14A5D" 
> 	22:14:40 radius,debug,packet     NAS-Port-Id = "bridge-hs" 
> 	22:14:40 radius,debug,packet     User-Name = "SwB_3094873_ins_6971_30:07:4D:50:64:AA" 
> 	22:14:40 radius,debug,packet     NAS-Port = 2148532224 
> 	22:14:40 radius,debug,packet     Acct-Session-Id = "80100000" 

  That's really not a good idea.  The Acct-Session-Id *should* be a long random string.

> Seems than Nas-Port + Acc-Session-id (  2148532224 + 80100000 ) should be unique.

  Except when the same user logs into the same NAS port.

> Is that correct ?

  When I said no amount of poking FreeRADIUS would fix the NAS, I meant it.  Your response should *not* be to poke the FreeRADIUS configuration in an attempt to "fix" the problem.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list