What is the purpose of the default accounting-on/off queries?

Nathan Ward lists+freeradius at daork.net
Sat Oct 9 17:02:14 CEST 2021

> On 10/10/2021, at 3:51 AM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
> On 09/10/2021 11:24, Nathan Ward wrote:
>>> On 10/10/2021, at 3:16 AM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
>>> Hello everyone,
>>> I have two questions:
>>> 1) What is the purpose of the default accounting-on and accounting-off queries bundled with freeradius? I am asking this because one of my customer's NAS is sending accounting-on packets for no reason, and Freeradius is closing the sessions with the 'NAS-Reboot' Acct-Terminate-Cause. I was thinking about disabling the accounting-on query altogether, and leaving only the accounting-off. Are there any side effects by doing this?
>> This means the NAS is misbehaving.
>> Accounting-On and Accounting-Off should only be sent when the NAS is booting or shutting down - i.e. when sessions are terminated en mass. In those situations, the NAS might not send Stop messages for each session (and in many cases, such as a crash, cannot).
>> Leaving only Accounting-Off will mean in case of a NAS crash, it’ll come back and may not be able to get customers online until the sessions expire in the RADIUS server state - in case you limit concurrent sessions, or have limited IPs in sqlippool. Accounting-On is important in these situations.
>> Perhaps to work around the poor RADIUS implementation on the NAS, you can filter out these messages - do they have any additional attributes? Some misbehaving NASes send Accounting-On/Off for subsystems, with additional attributes to identify the subsystem.
>> Send the NAS vendor this page: https://freeradius.org/rfc/acct_status_type_subsystem.html <https://freeradius.org/rfc/acct_status_type_subsystem.html><https://freeradius.org/rfc/acct_status_type_subsystem.html <https://freeradius.org/rfc/acct_status_type_subsystem.html>>
>> Can you share who the vendor is?
> It is a Juniper MX5 router.
> Based on what you said, I think the safest choice for us is to ignore accounting-on, and leave just accounting-off. We have other mechanisms to deal with staled sessions and pool addresses. This NAS is sending accounting-on in a totally random fashion.

Ah yep. It will be sending Accounting-On when a VRF (routing-instance) gets the first customer, or has its configuration changed in certain ways (depending on the version). I have this very problem.

I have been working with my SE to get an ER raised for this to get them to use Subsystem-On and Subsystem-Off. I’ll follow up and see where that’s gotten to.

You can work around this as follows:
1) Create an `access profile` per VRF - Juniper recommend this anyway, so that requests for one VRF aren’t competing in a queue with requests in another VRF. This can of course have the same details as the current access profile you have, except for item 2:
2) Set the NAS-Identifier attribute uniquely for each profile: `set access profile foo radius options nas-identifier “bar”`
3) Set this profile in the VRF `set routing-instances baz access-profile foo`

This will get your Accounting-On messages coming with an attribute you can filter on.

If you don’t want to do that per VRF, you could create one common “inside VRF” profile, and one “global” profile, and of course have different NAS-Identifiers to filter on.

You want to keep the global Accounting-On messages, and throw away the others.

Nathan Ward

More information about the Freeradius-Users mailing list