Acct-Authentic in Accounting-On and Accounting-Off forms of Accounting-Request. Valid?
Nick Lowe
nick.lowe at gmail.com
Thu May 21 13:07:10 CEST 2015
Hi all,
I have been assisting Aerohive with an interop issue with Cisco's ACS
whereby that RADIUS server would drop/reject the Accounting-On and
Accounting-Off forms of Accounting-Request packets that Aerohive's APs
are sending, spamming the log with the following error:
"RADIUS packet contains invalid attribute(s)"
A quick look at this showed that they were including the
Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off
forms of Accounting-Request packet which, by spec, is strictly
invalid:
5.10. Acct-Terminate-Cause
Description
This attribute indicates how the session was terminated, and can
only be present in Accounting-Request records where the Acct-
Status-Type is set to Stop.
Aerohive have now fixed this in a forthcoming software update that
should resolve the interop issue.
>From reviewing that, I had a related question about the Acct-Authentic
attribute in Accounting-On and Accounting-Off.
Aerohive are presently including this too. Is this valid?
The spec says:
5.6. Acct-Authentic
Description
This attribute MAY be included in an Accounting-Request to
indicate how the user was authenticated, whether by RADIUS, the
NAS itself, or another remote authentication protocol. Users who
are delivered service without being authenticated SHOULD NOT
generate Accounting records.
>From my reading, it appears to only be semantically valid in the
context of a session and therefore it should not be present.
Other vendors, such as Ruckus, do however document that they include
this attribute in Accounting-On and Accounting-Off:
http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/tech-briefs/tn-working-with-radius-attributes-and-accounting.pdf
(Ruckus also document that they are not including a Called-Station-Id
in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping
instead to a SSID with a 'Ruckus-SSID' VSA, yuck!)
It appears to be a grey area therefore. Is there a legitimate purpose
to including this attribute here? Should it be removed from such
packets?
Cheers,
Nick
More information about the Freeradius-Users
mailing list