(RADIATOR) 802.1X Authenticators - Common Accounting Problems
Terry Simons
galimore at mac.com
Thu Jun 10 14:31:37 CDT 2004
Thanks Michael,
I would like to gather a list of "known broken authenticators", so this
is helpful.
I'll add the following to the list:
Proxim AP 2000
Broken Acct-Session-Id (uses MAC address)
Does not account Calling/Called-Station-Id
Example:
Attributes:
User-Name = "u0123456 at utah.edu"
Acct-Session-Id = "00-d0-b7-20-e2-6e"
NAS-Identifier = "w1-3-304a"
NAS-IP-Address = 155.97.2.214
NAS-Port = 9
NAS-Port-Type = Wireless-IEEE-802-11
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Timestamp = 1086895670
Acct-Delay-Time = 0
On Jun 10, 2004, at 10:30 AM, Michael Ting wrote:
> Hello,
>
> Just something related to this subject to share:
>
> It seems that the Acct-Session-Id of the 802.1x start and stop
> accounting
> records sent out by Cisco CatOS 4000 switches don't match either.
>
> ----------------------------------------------------------------
> Attributes:
> User-Name = "ziaul at md5"
> NAS-IP-Address = 132.163.5.31
> NAS-Port = 60402
> Calling-Station-Id = "00-10-a4-bb-aa-9c"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Acct-Session-Id = "Thu Jun 10 2004, 09:37:13 9000"
> Attributes:
> User-Name = "ziaul at md5"
> NAS-IP-Address = 132.163.5.31
> NAS-Port = 60402
> Calling-Station-Id = "00-10-a4-bb-aa-9c"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Stop
> Acct-Authentic = RADIUS
> Acct-Terminate-Cause = Port-Error
> Acct-Session-Id = "Thu Jun 10 2004, 09:37:49 1773"
> ----------------------------------------------------------------
>
>
> Michael
>
>
>
> Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
> *** Received from 132.163.5.31 port 2354 ....
> Code: Accounting-Request
> Identifier: 3
> Authentic: T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
> Attributes:
> User-Name = "ziaul at md5"
> NAS-IP-Address = 132.163.5.31
> NAS-Port = 60402
> Calling-Station-Id = "00-10-a4-bb-aa-9c"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Acct-Session-Id = "Thu Jun 10 2004, 09:37:13 9000"
>
> Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul at md5
> Thu Jun 10 09:37:14 2004: DEBUG: Handling request with Handler 'Realm
> = /MD5/i'
> Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul
> Thu Jun 10 09:37:14 2004: DEBUG: Adding session for ziaul at md5,
> 132.163.5.31,
> 60402
> Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'delete from RADONLINE
> where
> NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu
> Jun 10
> 2004, 09:37:13 9000'':
>
> Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'insert into RADONLINE
> (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
> NASPORTTYPE,
> SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10
> 2004,
> 09:37:13 9000', 1086881834, '', 'Ethernet', '')':
>
> Thu Jun 10 09:37:14 2004: ERR: do failed for 'insert into RADONLINE
> (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS,
> NASPORTTYPE,
> SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10
> 2004,
> 09:37:13 9000', 1086881834, '', 'Ethernet', '')': Duplicate entry
> '132.163.5.31-60402' for key 1
> Thu Jun 10 09:37:14 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 10 09:37:14 2004: DEBUG: Accounting accepted
> Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
> *** Sending to 132.163.5.31 port 2354 ....
> Code: Accounting-Response
> Identifier: 3
> Authentic: T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
> Attributes:
> Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:802
> Tunnel-Private-Group-ID = 1:VLAN0252
>
> Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
> *** Received from 132.163.5.31 port 2354 ....
> Code: Accounting-Request
> Identifier: 4
> Authentic: a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
> Attributes:
> User-Name = "ziaul at md5"
> NAS-IP-Address = 132.163.5.31
> NAS-Port = 60402
> Calling-Station-Id = "00-10-a4-bb-aa-9c"
> NAS-Port-Type = Ethernet
> Acct-Status-Type = Stop
> Acct-Authentic = RADIUS
> Acct-Terminate-Cause = Port-Error
> Acct-Session-Id = "Thu Jun 10 2004, 09:37:49 1773"
>
> Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul at md5
> Thu Jun 10 09:37:51 2004: DEBUG: Handling request with Handler 'Realm
> = /MD5/i'
> Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul
> Thu Jun 10 09:37:51 2004: DEBUG: Deleting session for ziaul at md5,
> 132.163.5.31,
> 60402
> Thu Jun 10 09:37:51 2004: DEBUG: do query is: 'delete from RADONLINE
> where
> NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu
> Jun 10
> 2004, 09:37:49 1773'':
>
> Thu Jun 10 09:37:51 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 10 09:37:51 2004: DEBUG: Accounting accepted
> Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
> *** Sending to 132.163.5.31 port 2354 ....
> Code: Accounting-Response
> Identifier: 4
> Authentic: a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
> Attributes:
> Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:802
> Tunnel-Private-Group-ID = 1:VLAN0252
>
>
>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>> Behalf Of Hugh Irvine
>> Sent: Thursday, June 10, 2004 9:20 AM
>> To: Terry Simons
>> Cc: 'radiator at open.com.au'
>> Subject: Re: (RADIATOR) 802.1X Authenticators - Common Accounting
>> Problems
>>
>>
>>
>> Hello Terry -
>>
>> Excellent work - thanks for sharing it! I agree with all your
>> assertions.
>>
>> Another point that I would make is that some wireless vendors do not
>> do
>> accounting at all, and this should be considered unacceptable.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 10 Jun 2004, at 08:23, Terry Simons wrote:
>>
>>> Hi all,
>>>
>>> I have drafted an initial (small) document subset that is going to be
>>> incorporated into the University of Utah 802.1X Authenticator
>>> decision
>>> making Best Practices. This document will be our official test
>>> outline for 802.1X purchases, and I thought I should probably share
>>> this piece with everybody, since it affects more than just our
>>> university.
>>>
>>> Hugh & Mike, I would be especially grateful if the two of you would
>>> read over my document and correct any RADIUS mistakes, or tell me if
>>> you think I left anything out, or maybe if I am incorrect in my
>>> assumptions about something.
>>>
>>> I would also like input from other entities that have deployed
>>> 802.1X,
>>> or are considering deploying 802.1X. This document addresses the
>>> biggest concerns I have with 802.1X authenticators right now, and the
>>> more vendors I test, the more I am concerned. Nobody seems to have
>>> gotten it right, and I want to know if others think that maybe I
>>> have.
>>> ;)
>>>
>>> Anyway... here is the document.
>>>
>>> Thanks!
>>>
>>> - Terry
>>>
>>> <802.1X Authenticators and RADIUS Accounting.rtf>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list