Hi all, I have been assisting Aerohive with an interop issue with Cisco's ACS whereby that RADIUS server would drop/reject the Accounting-On and Accounting-Off forms of Accounting-Request packets that Aerohive's APs are sending, spamming the log with the following error: "RADIUS packet contains invalid attribute(s)" A quick look at this showed that they were including the Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off forms of Accounting-Request packet which, by spec, is strictly invalid: 5.10. Acct-Terminate-Cause Description This attribute indicates how the session was terminated, and can only be present in Accounting-Request records where the Acct- Status-Type is set to Stop. Aerohive have now fixed this in a forthcoming software update that should resolve the interop issue.
From reviewing that, I had a related question about the Acct-Authentic attribute in Accounting-On and Accounting-Off.
Aerohive are presently including this too. Is this valid? The spec says: 5.6. Acct-Authentic Description This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records.
From my reading, it appears to only be semantically valid in the context of a session and therefore it should not be present.
Other vendors, such as Ruckus, do however document that they include this attribute in Accounting-On and Accounting-Off: http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn... (Ruckus also document that they are not including a Called-Station-Id in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping instead to a SSID with a 'Ruckus-SSID' VSA, yuck!) It appears to be a grey area therefore. Is there a legitimate purpose to including this attribute here? Should it be removed from such packets? Cheers, Nick