IP-Address
Alan DeKok
aland at deployingradius.com
Wed Mar 26 17:22:46 CET 2014
Nick Lowe wrote:
> Pragmatically, you cannot treat the Acct-Session-Id as being unique
> for a session in real world vendor heterogeneous environments, it is
> guaranteed to be unique only on a per-NAS basis and there is a
> theoretical risk of collision between vendors where they use a similar
> method of construction. I could not see any advice on its construction
> in the RADIUS RFCs?
The RFCs are silent on a wide variety of topics. :(
> The Acct-Multi-Session-Id was meant to, and does,
> solve this surely?
Nope. Acct-Multi-Session-Id handles IDs for multiple sessions. What
does that mean? No one knows... the IETF RADIUS working group has had
discussion on that topic, with no resolution.
> As some NASes will perform a fresh authentication and authorization
> exchange yet conceptually the user still has the same 'connection',
No. Every re-auth is a new connection. Always. Anything else is
madness.
> I
> have supported roaming only where an Acct-Multi-Session-Id value is
> present and shouted at vendors where one has been missing and not used
> the Class attribute for this purpose.
Acct-Multi-Session-Id has no well-defined meaning. Most NASes don't
support it.
>> Such NASes are unfortunately broken. They don't implement the RADIUS
>> specs correctly. Sadly... there are many, many, NASes which don't
>> implement RADIUS.
>
> Should we make more of a concerted effort to call them out and open
> support cases over this?
Absolutely. I'd like to have Wiki pages saying "vendor X product Y
firmware Z is broken". But much as people complain about docs, 1/100
people will update them.
> Sure! Which NASes are you aware of that support the CUI attribute?
WiMAX ones.
Alan DeKok.
More information about the Freeradius-Users
mailing list