[ previous ] [ next ] [ threads ]
 
 From:  Andrew Hull <list at racc2000 dot com>
 To:  Jonathan De Graeve <Jonathan dot De dot Graeve at imelda dot be>, M0n0 Wall list <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: RADIUS Calling-Station-Id consistency
 Date:  Tue, 08 Nov 2005 11:16:27 -0500
Jonathan De Graeve wrote:
> 
> This 'inconsistency' is there for a good reason:
> It is because I currently only uploaded a changed radius authentication
> in the published images, not yet the radius accounting stuff (that
> coding is already 'done' but needs testing) (Note that I did changed the
> accounting behaviour to work with changing NAS-Port's). I wanted to be
> sure that no one has problems with the first part of the code. If this
> is true, I will publish the images with both authentication and
> accounting as soon as I get good response from the images, considering
> the first part of the code as stable. 

Johathan,

First, let me thank you for your efforts. The NAS-Port functionality 
works very well, as does your new stack style (for lack of a better 
term) auth code as a whole.

I noticed that the accounting functions were by-in-large (if not 
exactly) the same as 1.2 stable. And the calling-station-id 
inconsistency now makes perfect sense.


> 
> Question: it's normally not a problem to have missing attributes in the
> Accounting Request start packages. They may be in the Accounting Request
> Updates/Stop. Does your radius server gives problems if they aren't in
> the Accounting Start? (its for further coding that I want to know this)
> 
> 

The short answer is that Vircom's RADIUS server does not normally give 
me problems with your current image (build 20051107_09-38) now that 
nas-port is functional.

Access Request, Accounting Start and Stop all work with their current 
presence or absence of RADIUS attributes.

The problem arises when I enable the "Calling-station-id concurrency" 
feature. With this feature enabled, RADIUS treats calling-station-id 
much the same as nas-port -- a field that is unique to each user on the NAS.

Brief description of what happens:

In general, with calling-station-id concurrency enabled RADIUS has 3 
fields used to identify users: user-name, nas-port, and 
calling-station-id. Nas-port and calling-station-id are non-shareable, 
and user-name is governed by port-limit. In order for an accounting 
packet to be associated with an authenticated user, the nas-port, 
user-name, and calling-station-id attributes must all match.

- With calling-station-id concurrency enabled, RADIUS receives the 
access request and returns the access accept (assuming I didn't 
fat-finger the pwd).

- RADIUS receives the Accounting start request and attempts to match it 
to a user.

- Finding no matching users, it assumes the access-request packet died 
in transit (yay UDP). It adds a user (if port-limit allows) and sends 
the accounting-response back to the NAS. There are now two users logged 
in according to RADIUS, one still in ACK, one in Accounting Start. They 
both have the same user-name, and nas-port, but different 
calling-station-id (one the client's MAC, the other NULL).

- The first user created is still in the ACK state. When the ACK state 
timeout is reached, that user is quietly removed.


With calling-station-id concurrency disabled, RADIUS reacts in the same 
way save that it only uses user-name and nas-port to distinguish users. 
It still records calling-station-id, but it is not a vital part of 
RADIUS operation.


> 
>>Jonathan -- is this something you could easily remedy?
> 
> Yes it is, it's waiting in the new accounting code :)
> 
> Old code, so normal behaviour :)
> 
>  

Wonderful. Thank you so much.


On a side note: I looked at some of the RADIUS packets for our dial-up 
users. We have Cisco access servers located in areas with and without 
callerid. In the callerid enabled areas, calling-station-id is present 
in every RADIUS packet: Auth, accounting start/stop, watchdog, 
everything. In the callerid incapable areas, calling-station-id is never 
sent.


Again, thank you for the work you've done. I look forward to checking 
out your accounting functions.

Andrew