Acct-Authentic & changing usernames

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 13 19:24:50 CET 2008 

We're bringing a Cisco (formerly Airespace) lightweight wireless system 
online, and I'm seeing some odd things in the accounting.

Specifically, the usernames can change in the accounting packets. This 
causes the default SQL queries (at least, the ones for Postgres under 
1.1.7) to generate duplicate entries for the session, because the 
"where" clause includes the username.

For example, I might see this:

User-Name = "unknown"
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = "wlan-wism-1-1"
Airespace-Wlan-Id = 2
Acct-Session-Id = "47b3193c/00:aa:bb:cc:dd:ee/5746"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3602"
Acct-Status-Type = Start
Calling-Station-Id = "00:aa:bb:cc:dd:ee"
Called-Station-Id = "00:1b:d5:08:01:00"

...then a few seconds later

User-Name = "THEUSER"
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = "wlan-wism-1-1"
Airespace-Wlan-Id = 2
Acct-Session-Id = "47b3193c/00:aa:bb:cc:dd:ee/5746"
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3602"
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 105078
Acct-Output-Octets = 72551
Acct-Input-Packets = 754
Acct-Output-Packets = 300
Acct-Session-Time = 74
Acct-Delay-Time = 0
Calling-Station-Id = "00:aa:bb:cc:dd:ee"
Called-Station-Id = "00:1b:d5:08:01:00"

If the user is on e.g. a windows XP laptop and logs out, I might finally 
see:

User-Name = "host/thelaptop.domain.com"
NAS-Port = 29
NAS-IP-Address = 172.16.x.x
Framed-IP-Address = 192.168.x.x
NAS-Identifier = "wlan-wism-1-1"
Airespace-Wlan-Id = 2
Acct-Session-Id = "47b3193c/00:aa:bb:cc:dd:ee/5746"
Acct-Authentic = Remote
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3602"
Acct-Status-Type = Stop
Acct-Input-Octets = 1852445
Acct-Output-Octets = 5401691
Acct-Input-Packets = 17608
Acct-Output-Packets = 8630
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 30517
Acct-Delay-Time = 0
Calling-Station-Id = "00:aa:bb:cc:dd:ee"
Called-Station-Id = "00:1b:d5:08:01:00"

It seems the NAS is having a changing view of the authentication 
username as various events take place, presumably at the EAPOL layer.

However it seems to consistently set Acct-Authentic to RADIUS for "real" 
usernames, and "Remote" for unknown or non-authenticated usernames, so 
it sort of "knows" this is happening.

Now the Cisco WLC (nee Airespace) is a weird bit of kit anyway; it sort 
of "holds onto" client sessions in case they come back shortly (not 
unusual for wireless) but I'm wondering if this behaviour is legal, sane 
or what?

I can probably fix our SQL queries, but I thought people might be 
interested; for interest, what was the original rationale behind the 
where clause in the default SQL queries:

  where username='%{SQL-User-Name}'

??

More information about the Freeradius-Users mailing list