Dropping NAS-Port AVP from Acct-Unique-Session-Id by default
Nick Lowe
nick.lowe at gmail.com
Fri Sep 18 12:43:24 CEST 2015
Food for thought....
What is the expected behaviour with Class attributes in accounting
when 802.1X re-authentication occurs?
The clients association/connection is not terminated, so, should we
expect to see a Stop and a Start for the session? With many NASes I
have empirically observed that we do not see this. In my opinion, we
should not.
In the case that accounting for the session carries on without a Stop
and a Start, should then a NAS update the value of the Class
attribute(s) that it accounts with based on new value(s) returned in
the Access-Accept? In my opinion, yes, it should.
I am not convinced therefore that the Class attribute should ever be
used as part of a unique session key therefore.
A unique session key redoes what the Acct-Session-Id should be doing
in the first place because of NAS deficiencies.
My thoughts are that the default behaviour in FreeRADIUS should always be:
&Acct-Unique-Session-Id :=
"%{md5:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier}}"
I also should have mentioned before, that the NAS-Port-Id should be
dropped too in addition to the NAS-Port.
Thoughts?
Nick
More information about the Freeradius-Users
mailing list