Acct-Authentic in Accounting-On and Accounting-Off forms of Accounting-Request. Valid?

Alan DeKok aland at
Thu May 21 15:02:51 CEST 2015

On May 21, 2015, at 7:07 AM, Nick Lowe <nick.lowe at> wrote:
> I have been assisting Aerohive with an interop issue with Cisco's ACS
> whereby that RADIUS server would drop/reject the Accounting-On and
> Accounting-Off forms of Accounting-Request packets that Aerohive's APs
> are sending, spamming the log with the following error:
> "RADIUS packet contains invalid attribute(s)"

  I'll have to bug my contacts at Aerohive... they should know better.

> A quick look at this showed that they were including the
> Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off
> forms of Accounting-Request packet which, by spec, is strictly
> invalid:

  It's dumb, but a (cough) sane RADIUS server won't blow up when it receives that kind of "invalid" packet.

> Aerohive have now fixed this in a forthcoming software update that
> should resolve the interop issue.

  There's a list of other dumb things they do.  I'll push them.

> From reviewing that, I had a related question about the Acct-Authentic
> attribute in Accounting-On and Accounting-Off.
> Aerohive are presently including this too. Is this valid?

  It makes no sense.  It's an attribute which describes a session.  It has no meaning for "on" or "off" packets.

> From my reading, it appears to only be semantically valid in the
> context of a session and therefore it should not be present.


> Other vendors, such as Ruckus, do however document that they include
> this attribute in Accounting-On and Accounting-Off:

  That's dumb.  It's not forbidden by the spec, because the spec authors don't think anyone would be dumb enough to do it.

> (Ruckus also document that they are not including a Called-Station-Id
> in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping
> instead to a SSID with a 'Ruckus-SSID' VSA, yuck!)

  Huh?  There's no reason to include Called-Station-Id with Accounting-On or Accounting-Off.  It's stupid.

> It appears to be a grey area therefore. Is there a legitimate purpose
> to including this attribute here? Should it be removed from such
> packets?

  They shouldn't be in the packets.

  Point your Aerohive contact to me.  I'll set them straight.

  Alan DeKok.

More information about the Freeradius-Users mailing list