Acct-Authentic in Accounting-On and Accounting-Off forms of Accounting-Request. Valid?

Alan DeKok aland at deployingradius.com
Thu May 21 16:17:35 CEST 2015


On May 21, 2015, at 7:07 AM, Nick Lowe <nick.lowe at gmail.com> wrote:
> I have been assisting Aerohive with an interop issue with Cisco's ACS
> whereby that RADIUS server would drop/reject the Accounting-On and
> Accounting-Off forms of Accounting-Request packets that Aerohive's APs
> are sending, spamming the log with the following error:
> "RADIUS packet contains invalid attribute(s)"

  I'll have to bug my contacts at Aerohive... they should know better.

> A quick look at this showed that they were including the
> Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off
> forms of Accounting-Request packet which, by spec, is strictly
> invalid:

  It's dumb, but a (cough) sane RADIUS server won't blow up when it receives that kind of "invalid" packet.

> Aerohive have now fixed this in a forthcoming software update that
> should resolve the interop issue.

  There's a list of other dumb things they do.  I'll push them.

> From reviewing that, I had a related question about the Acct-Authentic
> attribute in Accounting-On and Accounting-Off.
> 
> Aerohive are presently including this too. Is this valid?

  It makes no sense.  It's an attribute which describes a session.  It has no meaning for "on" or "off" packets.

> From my reading, it appears to only be semantically valid in the
> context of a session and therefore it should not be present.

  Yes.

> Other vendors, such as Ruckus, do however document that they include
> this attribute in Accounting-On and Accounting-Off:
> 
> http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/tech-briefs/tn-working-with-radius-attributes-and-accounting.pdf

  That's dumb.  It's not forbidden by the spec, because the spec authors don't think anyone would be dumb enough to do it.

> (Ruckus also document that they are not including a Called-Station-Id
> in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping
> instead to a SSID with a 'Ruckus-SSID' VSA, yuck!)

  Huh?  There's no reason to include Called-Station-Id with Accounting-On or Accounting

> It appears to be a grey area therefore. Is there a legitimate purpose
> to including this attribute here? Should it be removed from such
> packets?
> 
> Cheers,
> 
> Nick
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list