duplicate acctsessionid when connectin to ocserv

Mehrzad Jalali mehrzadjalali at yahoo.com
Fri Jan 3 02:27:19 CET 2020 

 very thanks problem temporarily solved i send this email to NAS vendor  
    On Thursday, January 2, 2020, 10:27:02 PM GMT+3:30, Alan DeKok <aland at deployingradius.com> wrote:  
 
 

> On Jan 1, 2020, at 11:23 PM, Mehrzad Jalali via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> in my vps centos 7 with ocserv 12.5 and freeradius 3.0.5

  As Jorge said, 3.0.5 is many years out of date.  You should upgrade.

> standard installation when in connect from clinet to server 2 database record created with same "acctsessionid"

  The NAS sends Acct-Sessoin-Id.  FreeRADIUS just writes the records to the DB.  So if there are two records being created, it's because the NAS is sending wrong / changing information.

> and in daloradius i see 2 connect with same user id but when i disconnected 1 of records terminate and clear from daloradius online user but other don't and if i limit Simultaneous-Use := 1 or 2 after that can't connect until manualy delet that session from online user, please help if pasible
> 
> 
> ### radiusd -Xoutput for connect
> ...
> (1) Received Accounting-Request Id 195 from 127.0.0.1:56449 to 127.0.0.1:1813 le ngth 152
> (1) Acct-Status-Type = Start
> (1) Connect-Info = "AnyConnect Windows 4.8.01090"
> (1) User-Name = "0001"
> (1) Service-Type = Framed-User
> (1) Framed-Protocol = PPP
> (1) Calling-Station-Id = "185.131.136.61"
> (1) Acct-Session-Id = "YokGL5neiA2JyiM49N9Bytg0hYk="
> (1) Acct-Authentic = RADIUS
> (1) NAS-Port = 2565
> (1) Acct-Delay-Time = 0
> (1) NAS-IP-Address = 127.0.0.1
> (1) NAS-Identifier = "ocserv"

  All that information is sent by the NAS.

> (1) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, u sername, realm, nasipaddress, nasportid, nasporttype,a cctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinpu toctets, acctoutputoctets, calledstationid, callingstationid, acctte rminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm }', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', F ROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestam p}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called- Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol }', '%{Framed-IP-Address}')
> (1) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, u sername, realm, nasipaddress, nasportid, nasporttype,a cctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinpu toctets, acctoutputoctets, calledstationid, callingstationid, acctte rminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('YokGL5neiA2JyiM49N9Bytg0hYk=3D', '440bf34dbf28bc1cb53423b82d8bad65', '0001', ' ', '127.0.0.1', '2565', '', FROM_UNIXTIME(1577832814), FROM_UNIXTIME(1577832814) , NULL, '0', 'RADIUS', 'AnyConnect Windows 4.8.01090', '', '0', '0', '', '185.13 1.136.61', '', 'Framed-User', 'PPP', '')
> (1) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniq ueid, username, realm, nasipaddress, n asportid, nasporttype, acctstarttime, acctupdatetime, acctstop time, acctsessiontime, acctauthentic, connectinfo_start, c onnectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedpr otocol, framedipaddress) VALUES ('YokGL5neiA2JyiM49N9Bytg0hYk=3D', '440bf34dbf28 bc1cb53423b82d8bad65', '0001', '', '127.0.0.1', '2565', '', FROM_UNIXTIME(157783 2814), FROM_UNIXTIME(1577832814), NULL, '0', 'RADIUS', 'AnyConnect Windows 4.8.0 1090', '', '0', '0', '', '185.131.136.61', '', 'Framed-User', 'PPP', '')
> (1) sql: SQL query returned: success
> (1) sql: 1 record(s) updated

  That's good.  The SQL module wrote a record to the DB.

> (2) Received Accounting-Request Id 32 from 127.0.0.1:36675 to 127.0.0.1:1813 len gth 152
> (2) Acct-Status-Type = Interim-Update
> (2) User-Name = "0001"
> (2) Service-Type = Framed-User
> (2) Framed-Protocol = PPP
> (2) Framed-IP-Address = 10.10.1.186
> (2) Calling-Station-Id = "185.131.136.61"
> (2) Acct-Session-Id = "YokGL5neiA2JyiM49N9Bytg0hYk="
> (2) Acct-Authentic = RADIUS
> (2) Acct-Input-Octets = 0
> (2) Acct-Output-Octets = 0
> (2) Acct-Input-Gigawords = 0
> (2) Acct-Output-Gigawords = 0
> (2) NAS-Port = 2575

  The NAS-Port has changed.  Why?  It's not supposed to change.

  The short answer is that this is the problem.  Your NAS is garbage, and isn't following the standards and best practices.  Submit a bug report to the NAS vendor, asking them to fix this issue.

  ...

> (2) update request {
> (2) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address} :-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
> (2) --> 2f664aa021eff0bd90754442f6900278
> (2) &Acct-Unique-Session-Id := 2f664aa021eff0bd90754442f6900278

  Since the NAS port has changed, the Acct-Unique-Session-Id has changed.  And therefore the server thinks that the two accounting packets are for two different sessions.

  The simplest way to fix this is to remove the %{NAS-Port} from the Acct-Unique-Session-Id calculation.  Edit raddb/policy.d/accounting.  Look for :

            &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"

  and change that line to:

            &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID}}"
  
  It should then work.
 
  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list