Radacct Reused ?
Oscar
oscar at jofre.com
Sun Apr 21 22:31:24 CEST 2019
Hi,
About:
# If we have a class attribute in the format
# 'auth_id:[0-9a-f]{32}' it'll have a local value
# (defined by insert_acct_class), this ensures
# uniqueness and suitability.
#
# We could just use the Class attribute as
# Acct-Unique-Session-Id, but this may cause problems
# with NAS that carry Class values across between
# multiple linked sessions. So we rehash class with
# Acct-Session-ID to provide a truely unique session
# identifier.
#
# Using a Class/Session-ID combination is more robust
# than using elements in the Accounting-Request,
# which may be subject to change, such as
# NAS-IP-Address, Client-IP-Address and
# NAS-Port-ID/NAS-Port.
#
# This policy should ensure that session data is not
# affected if NAS IP addresses change, or the client
# roams to a different 'port' whilst maintaining its
# initial authentication session (Common in a
# wireless environment).
Is Class an attribute that should come from the NAS ?
I'm using mikroitk as a NAS and I think/hope is not garbage.
This is what it is sending as accounting
22:14:40 radius,debug sending 3f:41a8 to 18.194.84.153:1813
22:14:40 radius,debug,packet sending Accounting-Request with id 14 to 18.194.84.153:1813
22:14:40 radius,debug,packet Signature = 0x72ab4a619fdecb98eeaefe7322abe9fe
22:14:40 radius,debug,packet Acct-Status-Type = 3
22:14:40 radius,debug,packet NAS-Port-Type = 19
22:14:40 radius,debug,packet Calling-Station-Id = "30:07:4D:50:64:AA"
22:14:40 radius,debug,packet Called-Station-Id = "8D0008D14A5D"
22:14:40 radius,debug,packet NAS-Port-Id = "bridge-hs"
22:14:40 radius,debug,packet User-Name = "SwB_3094873_ins_6971_30:07:4D:50:64:AA"
22:14:40 radius,debug,packet NAS-Port = 2148532224
22:14:40 radius,debug,packet Acct-Session-Id = "80100000"
22:14:40 radius,debug,packet Framed-IP-Address = 10.1.200.245
22:14:40 radius,debug,packet MT-Host-IP = 10.1.200.245
22:14:40 radius,debug,packet Event-Timestamp = 1555877680
22:14:40 radius,debug,packet Acct-Input-Octets = 381336
22:14:40 radius,debug,packet Acct-Output-Octets = 2678031
22:14:40 radius,debug,packet Acct-Input-Gigawords = 0
22:14:40 radius,debug,packet Acct-Output-Gigawords = 0
22:14:40 radius,debug,packet Acct-Input-Packets = 2751
22:14:40 radius,debug,packet Acct-Output-Packets = 3153
22:14:40 radius,debug,packet Acct-Session-Time = 3959
22:14:40 radius,debug,packet NAS-Identifier = "SERVER"
22:14:40 radius,debug,packet Acct-Delay-Time = 0
22:14:40 radius,debug,packet NAS-IP-Address = 172.16.8.118
22:14:40 radius,debug,packet received Accounting-Response with id 14 from 18.194.84.153:1813
22:14:40 radius,debug,packet Signature = 0x472ef1a6d674428935cc4b732b2f8363
22:14:40 radius,debug received reply for 3f:41a8
22:14:40 radius,debug request 3f:41a8 processed
22:15:34 system,info,account user admin logged in from 192.168.0.158 via telnet
Definitly I think Acct-Session-Id is not unique id but as I've seen on mikrotik manual radius manual: https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
Access-Request
NAS-Identifier - router identity
NAS-IP-Address - IP address of the router itself
NAS-Port - unique session ID
Acct-Session-Id - unique session ID
Seems than Nas-Port + Acc-Session-id ( 2148532224 + 80100000 ) should be unique.
I've sent an email to mikrotik to tell them that Acc-Session-id is not unique and know what they say (will share here if it helpful)
So at that point I think, not sure yet, need to know if my radius is using class or not:
If ussing class it would be solved modifying:
&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}}"
To
&Acct-Unique-Session-Id := "%{md5:%{1},%{Acct-Session-ID}, %{NAS-Port} }"
That should create in my case a really unique Acct-Unique-Session-Id
Because if not using class:
&Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
I think Acct-Unique-Session-Id will comes unique due NAS-Port is in md5 hash
Is that correct ?
I'm not going to change anything yet.
Will wait to mikrotik answer.
Thanks a agin for the suport I appreciate it.
Rgds,
-----Mensaje original-----
De: Freeradius-Users <freeradius-users-bounces+oscar=jofre.com at lists.freeradius.org> En nombre de Alan DeKok
Enviado el: domingo, 21 de abril de 2019 1:50
Para: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Asunto: Re: Radacct Reused ?
On Apr 19, 2019, at 6:40 PM, Oscar <oscar at jofre.com> wrote:
> I've serch and found the pice of code that I think creates the unique id
Yes.
> I'm trying to understand why acctuniqueid=6cf28675aa2c38a046d7f46f65e36e72 has been created again
Because all of the values used to create it are the same.
> and can't follow this code.
>
> Where and what is the class I gess {%1} ? hex:&Class ? string:&Class ?
See "man unlang".
> I think if in my case we go throw:
> &Acct-Unique-Session-Id := "%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}"
>
> Then unique id can be reused because user-name and rest of values can be the same.
Yes.
> Where comes the Acct-Session-ID ?
The NAS sends it. If you read the debug output, you will see this.
> Sorry for too many questons ... but try to figure out how it works.
The short answer for the problem here is that the NAS is re-using values for sessions. It's not supposed to do that. The Acct-Session-Id is *supposed* to be mostly unique.
If the NAS is this bad, then no amount of poking the FR config will fix it. There is literally nothing you can do to stop the problem of re-used sessions. You have to get a NAS which implements RADIUS properly. i.e. one that isn't garbage.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list