Acct-Authentic in Accounting-On and Accounting-Off forms of Accounting-Request. Valid?

Nick Lowe nick.lowe at gmail.com
Thu May 21 13:07:10 CEST 2015 

Hi all,

I have been assisting Aerohive with an interop issue with Cisco's ACS
whereby that RADIUS server would drop/reject the Accounting-On and
Accounting-Off forms of Accounting-Request packets that Aerohive's APs
are sending, spamming the log with the following error:
"RADIUS packet contains invalid attribute(s)"

A quick look at this showed that they were including the
Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off
forms of Accounting-Request packet which, by spec, is strictly
invalid:

5.10.  Acct-Terminate-Cause
   Description
      This attribute indicates how the session was terminated, and can
      only be present in Accounting-Request records where the Acct-
      Status-Type is set to Stop.

Aerohive have now fixed this in a forthcoming software update that
should resolve the interop issue.

>From reviewing that, I had a related question about the Acct-Authentic
attribute in Accounting-On and Accounting-Off.

Aerohive are presently including this too. Is this valid?

The spec says:

5.6.  Acct-Authentic
   Description
      This attribute MAY be included in an Accounting-Request to
      indicate how the user was authenticated, whether by RADIUS, the
      NAS itself, or another remote authentication protocol.  Users who
      are delivered service without being authenticated SHOULD NOT
      generate Accounting records.

>From my reading, it appears to only be semantically valid in the
context of a session and therefore it should not be present.

Other vendors, such as Ruckus, do however document that they include
this attribute in Accounting-On and Accounting-Off:

http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/tech-briefs/tn-working-with-radius-attributes-and-accounting.pdf

(Ruckus also document that they are not including a Called-Station-Id
in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping
instead to a SSID with a 'Ruckus-SSID' VSA, yuck!)

It appears to be a grey area therefore. Is there a legitimate purpose
to including this attribute here? Should it be removed from such
packets?

Cheers,

Nick

More information about the Freeradius-Users mailing list