Acct-Authentic in Accounting-On and Accounting-Off forms of Accounting-Request. Valid?
Alan DeKok
aland at deployingradius.com
Thu May 21 16:17:35 CEST 2015
On May 21, 2015, at 7:07 AM, Nick Lowe <nick.lowe at gmail.com> wrote:
> I have been assisting Aerohive with an interop issue with Cisco's ACS
> whereby that RADIUS server would drop/reject the Accounting-On and
> Accounting-Off forms of Accounting-Request packets that Aerohive's APs
> are sending, spamming the log with the following error:
> "RADIUS packet contains invalid attribute(s)"
I'll have to bug my contacts at Aerohive... they should know better.
> A quick look at this showed that they were including the
> Acct-Terminate-Cause attribute in the Accounting-On and Accounting-Off
> forms of Accounting-Request packet which, by spec, is strictly
> invalid:
It's dumb, but a (cough) sane RADIUS server won't blow up when it receives that kind of "invalid" packet.
> Aerohive have now fixed this in a forthcoming software update that
> should resolve the interop issue.
There's a list of other dumb things they do. I'll push them.
> From reviewing that, I had a related question about the Acct-Authentic
> attribute in Accounting-On and Accounting-Off.
>
> Aerohive are presently including this too. Is this valid?
It makes no sense. It's an attribute which describes a session. It has no meaning for "on" or "off" packets.
> From my reading, it appears to only be semantically valid in the
> context of a session and therefore it should not be present.
Yes.
> Other vendors, such as Ruckus, do however document that they include
> this attribute in Accounting-On and Accounting-Off:
>
> http://a030f85c1e25003d7609-b98377aee968aad08453374eb1df3398.r40.cf2.rackcdn.com/tech-briefs/tn-working-with-radius-attributes-and-accounting.pdf
That's dumb. It's not forbidden by the spec, because the spec authors don't think anyone would be dumb enough to do it.
> (Ruckus also document that they are not including a Called-Station-Id
> in their Accounting-On and Accounting-Off with the BSSID/SSID, scoping
> instead to a SSID with a 'Ruckus-SSID' VSA, yuck!)
Huh? There's no reason to include Called-Station-Id with Accounting-On or Accounting
> It appears to be a grey area therefore. Is there a legitimate purpose
> to including this attribute here? Should it be removed from such
> packets?
>
> Cheers,
>
> Nick
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list