What is the purpose of the default accounting-on/off queries?
Terry Burton
terry.burton at gmail.com
Sat Oct 9 19:11:46 CEST 2021
On Sat, 9 Oct 2021 at 16:03, Nathan Ward <lists+freeradius at daork.net> wrote:
> > On 10/10/2021, at 3:51 AM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
> > On 09/10/2021 11:24, Nathan Ward wrote:
> >>> On 10/10/2021, at 3:16 AM, Antônio Modesto <modesto at hubsoft.com.br> wrote:
> >>>
> >>> Hello everyone,
> >>>
> >>> I have two questions:
> >>>
> >>>
> >>> 1) What is the purpose of the default accounting-on and accounting-off queries bundled with freeradius? I am asking this because one of my customer's NAS is sending accounting-on packets for no reason, and Freeradius is closing the sessions with the 'NAS-Reboot' Acct-Terminate-Cause. I was thinking about disabling the accounting-on query altogether, and leaving only the accounting-off. Are there any side effects by doing this?
> >> This means the NAS is misbehaving.
> >> Accounting-On and Accounting-Off should only be sent when the NAS is booting or shutting down - i.e. when sessions are terminated en mass. In those situations, the NAS might not send Stop messages for each session (and in many cases, such as a crash, cannot).
> >> Leaving only Accounting-Off will mean in case of a NAS crash, it’ll come back and may not be able to get customers online until the sessions expire in the RADIUS server state - in case you limit concurrent sessions, or have limited IPs in sqlippool. Accounting-On is important in these situations.
> >>
> >> Perhaps to work around the poor RADIUS implementation on the NAS, you can filter out these messages - do they have any additional attributes? Some misbehaving NASes send Accounting-On/Off for subsystems, with additional attributes to identify the subsystem.
> >>
> >> Send the NAS vendor this page: https://freeradius.org/rfc/acct_status_type_subsystem.html <https://freeradius.org/rfc/acct_status_type_subsystem.html><https://freeradius.org/rfc/acct_status_type_subsystem.html <https://freeradius.org/rfc/acct_status_type_subsystem.html>>
> >> Can you share who the vendor is?
> >
> > It is a Juniper MX5 router.
> >
> > Based on what you said, I think the safest choice for us is to ignore accounting-on, and leave just accounting-off. We have other mechanisms to deal with staled sessions and pool addresses. This NAS is sending accounting-on in a totally random fashion.
>
>
> Ah yep. It will be sending Accounting-On when a VRF (routing-instance) gets the first customer, or has its configuration changed in certain ways (depending on the version). I have this very problem.
Another issue with the MX series that we've discovered the hard way is
that they can continue to send Accounting-On requests without backoff
*forever*, until the request is acknowledged. So if you are "ignoring"
them you must still send an Accounting-Response.
As well as the VRF issue, you can experience this in global context if
the database connection is configured with a query timeout and the
bulk session update does not complete in time.
More information about the Freeradius-Users
mailing list