Status counters

Sun Dec 21 07:44:53 CET 2008

Anders Holm wrote:
> Heh. I sure did. Though, I'm thinking slightly differently I suppose..
> "How can something be accepted which has not been requested?".

  That is the definition of how Status-Server works.  This definition
goes back to 1996 in a number of RADIUS servers.  It is now being
standardized:

  http://tools.ietf.org/html/draft-ietf-radext-status-server-03

 Which was written by... me.

> And I
> understand why the Accepts increment. I just don't understand why the
> Requests aren't, as that how I'd look at a query to get the Status, a
> Request which specifically is an Access-Request to get Status-Server
> data returned. At least, that is my view.

  Are you being deliberately obtuse?  Or just deliberately difficult?

   a) There is a counter for Access-Requests
   b) There is a counter for Access-Accepts
   c) The response to Status-Server is Access-Accept

  That's how it works.  3 simple rules that anyone should be able to
understand.  There is no counter for Status-Server, and the
"Access-Request" counter is not incremented when a "Status-Server"
packet is received.

  Why?  Because Status-Server packets aren't Access-Request packets!
They're spelled differently!  And *pronounced* differently!

> Considering I'm using exactly what the example from the Wiki tells me,
> there is an Authentication, so logically, I'm asking for Access.
> 
> "# echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1" | \"

  Now you are being *deliberately* misleading.  The next line that you
*conveniently* didn't quote is:

	radclient localhost:18120 status adminsecret

  See the "status" word?  The "radclient" documentation says that this
means "send Status-Server".

  And nothing is being authenticated.  No user, no machine, nothing.
Nothing is asking for access.

> So, Access-Accepts I got no problem with. That stacks up. Requests and
> Rejects is what I'm curious about. If my shared secret is wrong for
> example, doesn't that get counted as an Access-Reject, or doesn't it get
> counted at all?

  This is a fascinating discusion in how a simple example can be twisted
into something unrecognizable.

  The RADIUS *packet* is being signed.  No RADIUS *users* are being
authenticated.  And the response to a Status-Server is *never*
Access-Reject.

  Go read my draft.  If you don't understand it, read it again.  If you
still don't understand it, ask someone *else* about it.

>>  There is only one Status-Server packet.  I don't know what you mean by
>> "Status-*"
> 
> If one separates the Requests versus Accepts and Rejects, I'd see 3 ..
> If one follows the set examples for other counters anyway.

  Nonsense.  This confusion happens only because you fail to comprehend
the 3 simple rules I posted above.  Instead, you are working valiently
to come up with a tortured explanation based on a near-total
misunderstanding.

> Sure. In your own scenario you're considering several clients. On disk
> isn't good enough either. Losing a disk also means losing data.

  You only have one disk?  You must be terribly poor.

  Alan DeKok.