Hash username or mac address to assign user to different vlan
Phil Mayers
p.mayers at imperial.ac.uk
Fri Feb 18 16:30:37 CET 2011
>
> Yep, I was referring to the entries I see in my logs for
> "Interim-Update", which is of course an Accounting record, and I had
> always assumed this went with an Auth as well, but have never looked
> in detail to see! So I am most likely talking rubbish!
No, that's accounting, which is completely different to authentication.
You don't normally return *anything* in accounting - just an "ok,
message received" to stop the retransmit logic.
The packet flow for a wireless client normally looks something like this:
ap/controller: access-request
radius server: access-challenge
...repeated a few times to complete EAP & EAP-inner
ap/controller: access-request
radius server: access-accept w/ VLANs
This is the "authentication". You then get:
ap/controller: accounting-request Acct-Status-Type=Start
radius server: accounting-response
# then every Acct-Interim-Interval
ap/controller: accounting-request Acct-Status-Type=Interim-Update
radius server: accounting-response
# You might have 0, 1 or more repeats of the authentication phase here,
depending on how your wireless re-auth settings are. This may or may not
stop/re-start the accounting session
# then when the client disconnects
ap/controller: accounting-request Acct-Status-Type=Stop
radius server: accounting-response
More information about the Freeradius-Users
mailing list