racct and radpostauth
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Sep 9 15:18:06 CEST 2011
On 9 Sep 2011, at 14:23, Bjørn Mork wrote:
> Arran Cudbard-Bell <a.cudbardb at freeradius.org> writes:
>
>> As Alan says your NAS won't generate Accounting-Requests if the RADIUS
>> server rejects the user (unless its very broken).
>
> Why would that be broken?
>
> Yes, I do see that you can trigger RADIUS accounting traffic without
> authenticating, but the additional load (both for NAS and RADIUS server)
> is probably negligible compared to the failed authentication anyway.
>
> Some NASes will let you configure acct stop on reject. See e.g.
> http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration-statement/accounting-stop-on-access-deny-802-1x.html
>
>
RFC 2866:
When a client is configured to use RADIUS Accounting, at the start of
service delivery it will generate an Accounting Start packet
describing the type of service being delivered and the user it is
being delivered to, and will send that to the RADIUS Accounting
server, which will send back an acknowledgement that the packet has
been received. At the end of service delivery the client will
generate an Accounting Stop packet describing the type of service
that was delivered and optionally statistics such as elapsed time,
input and output octets, or input and output packets. It will send
that to the RADIUS Accounting server, which will send back an
acknowledgement that the packet has been received.
The NAS never provides a service so it should not be sending any accounting packets. Just because people demanded it and the vendor caved, it doesn't mean its correct or compliant.
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
More information about the Freeradius-Users
mailing list