Setting the standards

Nathan Ward lists+freeradius at daork.net
Tue Jul 13 14:49:58 CEST 2021 

Thanks for your work on this, Alan!

> On 13/07/2021, at 11:51 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
>  After some "behind the scenes" wrangling, we've managed to get some new values defined for Acct-Status-Type.  These values are especially useful to vendors who have one RADIUS client which controls multiple subsystems.
> 
>  i.e. a WiFI Access Point, where all of the RADIUS packets come from the controller, but each individual radio may have many users.   If the radio reboots while the controller is still up, there was no way in RADIUS for the controller to signal that.  It would have to send multiple accounting packets, one for each user on that controller.
> 
>  With the new values defined, the controller can just say "subsystem 1 stopped".
> 
>  The new values are defined here:
> 
> https://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-10
> 
>  A longer discussion of the issue is on the main FreeRADIUS page:
> 
> https://freeradius.org/rfc/acct_status_type_subsystem.html
> 
>  I encourage people to forward these links to vendors, so that vendors can start implementing this new functionality.

On this note, I’ve already got an ER in the works with Juniper, so anyone wanting to pile on to that I’d love to hear from you, and can forward the details when I have them.

Background for me is that Juniper BNGs send an Accounting-On message per routing-instance - and if you have multiple routing-instances using one common RADIUS instance, you get a bunch of them - or worse, you get them when creating/removing routing-instances (VRFs) on a running BNG. There’s been at least one bug I know of that this behaviour has made worse, too. If Subsystem-On/Off was being used, these bugs would be much lower impact.

There are configuration workarounds, but it requires creating a RADIUS server set per subscriber routing-instance, and tweaking the NAS-Identifier in those instances so they can be handled differently by the RADIUS server. It’s pretty messy.

--
Nathan Ward

More information about the Freeradius-Users mailing list