[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Andrew Hull" <list at racc2000 dot com>, "M0n0 Wall list" <m0n0wall at lists dot m0n0 dot ch>
 Cc:  <jbrunk at wthosting dot com>, "Lee Sharp" <leesharp at hal dash pc dot org>
 Subject:  RE: RADIUS Calling-Station-Id consistency
 Date:  Tue, 8 Nov 2005 09:12:46 +0100
>Greetings,
>Using the esteemed Mr De Graeve's latest image, I have discovered a 
>slight inconsistency.
This 'inconsistency' is there for a good reason:
It is because I currently only uploaded a changed radius authentication
in the published images, not yet the radius accounting stuff (that
coding is already 'done' but needs testing) (Note that I did changed the
accounting behaviour to work with changing NAS-Port's). I wanted to be
sure that no one has problems with the first part of the code. If this
is true, I will publish the images with both authentication and
accounting as soon as I get good response from the images, considering
the first part of the code as stable. 
 
>Assuming "Cisco functionality" is disabled, the Access Request (type 1)

>RADIUS packet sends Calling-Station-Id (31) as the client's MAC addy.
>The Accounting Request (type 4) RADIUS packet (Acct-Status_Type (40) = 
>Start) does not send Calling-Station-Id at all.
>The Accounting Request (type 4) RADIUS packet (Acct-Status_Type (40) = 
>End) sends Calling-Station-Id (31) as the client's IP addy.
Question: it's normally not a problem to have missing attributes in the
Accounting Request start packages. They may be in the Accounting Request
Updates/Stop. Does your radius server gives problems if they aren't in
the Accounting Start? (its for further coding that I want to know this)

>My RADIUS server (Vircom's VOP (not VoIP) RADIUS) offers a security 
>feature which treats Calling-Station-Id (31) as a "non-shareable 
>resource." Basically, it checks and prevents different users logging in

>on the same calling station. Whenever I attempt to enable this feature,

>RADIUS gets mighty confused due (I believe) to this inconsistency.
Just disable this feature for the moment. 

>Jonathan -- is this something you could easily remedy?
Yes it is, it's waiting in the new accounting code :)

>thanks,
 
><Access Request snip>
>(Debug   :03108) 11/7/2005 12:54:05 RECEIVED: 66.129.44.14, code=1 
>(Access Request), id=250, len=96
>        ( 61) NAS-Port-Type = 15 
>        (  6) Service-Type = 1 Login-User
>        (  4) NAS-IP-Address = [12]"192.168.5.10",\ 31 39 32 2E 31 36
38 
>2E 35 2E 31 30 \
>        (  1) User-Name = [5]"test2",\ 74 65 73 74 32 \
>        (  2) Password = [16]"<encrypted>"
>        ( 31) Calling-Station-Id = [17]"00:0f:b5:4d:93:f4",\ 30 30 3A
30 
>66 3A 62 35 3A 34 64 3A 39 33 3A 66 34 \
This is good, it does exactly what it had todo :)

>        (  5) NAS-Port-Id = 7
Also good, the initial port is 6, so the this NAS-Port counter also
works

><!Access Request snip>


><Accounting Start snip>
>(Debug   :03108) 11/7/2005 12:54:06 RECEIVED: 66.129.44.14, code=4 
>(Accounting Request), id=102, len=109
>        (  6) Service-Type = 1 Login-User
>        (  1) User-Name = [5]"test2",\ 74 65 73 74 32 \
>        ( 32) Nas-Identifier = [26]"alnsn-hotspot.racc2000.com",\ 61 6C

>6E 73 6E 2D 68 6F 74 73 70 6F 74 2E 72 61 63 63 32 30 30 30 2E 63 6F 6D
\
>        (  5) NAS-Port-Id = 7 
>        ( 61) NAS-Port-Type = 15 
>        ( 40) Acct-Status-Type = 1 Start
>        ( 45) Acct-Authentic = 1 RADIUS
>        ( 44) Acct-Session-Id = [16]"13a05169c69ff918",\ 31 33 61 30 35

>31 36 39 63 36 39 66 66 39 31 38 \
>        (  8) Framed-Address = 192.168.1.199
Old code, so normal behaviour :)