(RADIATOR) two accounting start two accounting stop
Bon sy
bon at bunny.cs.qc.edu
Tue Jun 17 05:12:37 CDT 2003
Hi Hugh, Mike, and Donald,
I have a similar experience in the wireless case. Specifically,
when I switched between two different authentication modes (e.g., EAP-TLS
to PEAP) while an AP is still trying to associate the client supplicant at
the mean time.
I also noticed that two additional challenges which I
wonder occured in wired NAS. First, rebooting wireless APs or restarting
radiator may run into the problem of regenerating identical account
session ids. Second, radiator will insert into database useless
accounting record (such as blank userid, timestamp, etc) in additional to
the actual useful one. This leads me to think about two questions:
1. Can we get radiator to be the only source on generating accounting
session id, and using format like <calling-station><nas-identifer><time>
as a session id (time means date and time). This should guarantee
uniqueness of the session id. I find a way to do so in the DB
level. But I will much prefer this to be taken care in the
radius level. (If there is enough interest in the tedious get-around
solution in the DB level, I will be happy to post it.)
2. Although zero out useless blank record is not a big deal in the
database leve, it does cause additional maintainence work. Can this be
taken care in the radius level so that it will not even happen in the
first place?
Finally, how other folks managing (non-)wireless NAS handling the above
challenges?
Bon
On Tue, 17 Jun 2003, Hugh Irvine wrote:
>
> Hello Donald -
>
> Thanks for sending the debug.
>
> It is not clear to me exactly what is happening, but it looks like the
> GGSN is configured to retry radius requests after a 2 second timeout
> delay? If this is indeed the case, the target radius proxy is not
> replying before the GGSN times out and sends a retransmission. There
> should normally be a non-zero Acct-Delay-Time attribute in any
> retransmissions, but it looks like the GGSN does not send any
> Acct-Delay-Time at all.
>
> If the GGSN is configured to send retries after two seconds, then this
> is not a bug (although I would have said the absence of the
> Acct-Delay-Time attribute *is* a bug). In general you need to configure
> the retransmission timeout and the number of retries of the whole
> system in a "sensible" manner.
>
> In answer to your question about the Identifiers, no it is not possible
> to use the same Identifiers on both sides.
>
> You should note that there are some recent patches for Radiator 3.6
> that implement extended Identifiers.
>
> # define AuthBy RADIUS to use extended Identifiers
>
> <AuthBy RADIUS>
> .....
> UseExtendedIds
> .....
> </AuthBy>
>
> regards
>
> Hugh
>
>
> On Tuesday, Jun 17, 2003, at 15:23 Australia/Melbourne, Foo Donald
> (Products O2) wrote:
>
> > Hi there,
> > We found that sometime we got two accounting start from our GGSN and we
> > reply the accouting response twice back to the GGSN. Is this the
> > radiator
> > problem or GGSN problem? Can make the same Identifier as the same
> > accounting
> > request at the radiator side??
> >
> > Regards,
> > Donald
> >
> >
> > Tue Jun 17 00:48:36 2003: DEBUG: Packet dump:
> > *** Received from 10.208.2.2 port 1812 ....
> > Code: Accounting-Request
> > Identifier: 37
> > Authentic: `<190>8<15><134><159><29><253>G<31><132><187><13>;ok
> > Attributes:
> > NAS-Identifier = "shggsn02"
> > Acct-Status-Type = Start
> > NAS-IP-Address = 10.208.2.2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "6598592042"
> > Called-Station-Id = "shwaptest"
> > Acct-Session-Id = "241674cb65772600"
> > Framed-IP-Address = 10.20.0.219
> > Ascend-IPX-Alias = 621094145
> > Ascend-Metric = 2520933
> > Ascend-PRI-Number-Type = 0
> > Ascend-Dial-Number = "<203>t<22>$"
> > Ascend-Route-IP = 3413382660
> >
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling request with Handler ''
> > Tue Jun 17 00:48:36 2003: DEBUG: Adding session for , 10.208.2.2,
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling with Radius::AuthSQL
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling accounting with
> > Radius::AuthSQL
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling with Radius::AuthSQL
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling accounting with
> > Radius::AuthSQL
> > Tue Jun 17 00:48:36 2003: DEBUG: do query is: 'insert into ACCOUNTING
> > (FRAMEDIPADDRESS,ACCTCALLINGSTATIONID,ACCTSTATUSTYPE,NA
> > SIDENTIFIER,ACCTSESSIONID,TIME_STAMP) values
> > ('10.20.0.219','6598592042','Start','shggsn02','241674cb65772600',10557
> > 82116
> > )':
> >
> > Tue Jun 17 00:48:36 2003: DEBUG: Handling with Radius::AuthRADIUS
> > Tue Jun 17 00:48:36 2003: DEBUG: Packet dump:
> > *** Sending to 10.12.1.41 port 1813 ....
> > Code: Accounting-Request
> > Identifier: 19
> > Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Attributes:
> > NAS-Identifier = "shggsn02"
> > Acct-Status-Type = Start
> > NAS-IP-Address = 10.208.2.2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "6598592042"
> > Called-Station-Id = "shwaptest"
> > Acct-Session-Id = "241674cb65772600"
> > Framed-IP-Address = 10.20.0.219
> > Ascend-IPX-Alias = 621094145
> > Ascend-Metric = 2520933
> > Ascend-PRI-Number-Type = 0
> > Ascend-Dial-Number = "<203>t<22>$"
> > Ascend-Route-IP = 3413382660
> > Timestamp = 1055782116
> > Acct-Delay-Time = 0
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Received from 10.208.2.2 port 1812 ....
> > Code: Accounting-Request
> > Identifier: 37
> > Authentic: `<190>8<15><134><159><29><253>G<31><132><187><13>;ok
> > Attributes:
> > NAS-Identifier = "shggsn02"
> > Acct-Status-Type = Start
> > NAS-IP-Address = 10.208.2.2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "6598592042"
> > Called-Station-Id = "shwaptest"
> > Acct-Session-Id = "241674cb65772600"
> > Framed-IP-Address = 10.20.0.219
> > Ascend-IPX-Alias = 621094145
> > Ascend-Metric = 2520933
> > Ascend-PRI-Number-Type = 0
> > Ascend-Dial-Number = "<203>t<22>$"
> > Ascend-Route-IP = 3413382660
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling request with Handler ''
> > Tue Jun 17 00:48:38 2003: DEBUG: Adding session for , 10.208.2.2,
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling with Radius::AuthSQL
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling accounting with
> > Radius::AuthSQL
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling with Radius::AuthSQL
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling accounting with
> > Radius::AuthSQL
> > Tue Jun 17 00:48:38 2003: DEBUG: do query is: 'insert into ACCOUNTING
> > (FRAMEDIPADDRESS,ACCTCALLINGSTATIONID,ACCTSTATUSTYPE,NA
> > SIDENTIFIER,ACCTSESSIONID,TIME_STAMP) values
> > ('10.20.0.219','6598592042','Start','shggsn02','241674cb65772600',10557
> > 82118
> > )':
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Handling with Radius::AuthRADIUS
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Sending to 10.12.1.41 port 1813 ....
> > Code: Accounting-Request
> > Identifier: 20
> > Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Attributes:
> > NAS-Identifier = "shggsn02"
> > Acct-Status-Type = Start
> > NAS-IP-Address = 10.208.2.2
> > NAS-Port-Type = Virtual
> > Calling-Station-Id = "6598592042"
> > Called-Station-Id = "shwaptest"
> > Acct-Session-Id = "241674cb65772600"
> > Framed-IP-Address = 10.20.0.219
> > Ascend-IPX-Alias = 621094145
> > Ascend-Metric = 2520933
> > Ascend-PRI-Number-Type = 0
> > Ascend-Dial-Number = "<203>t<22>$"
> > Ascend-Route-IP = 3413382660
> > Timestamp = 1055782118
> > Acct-Delay-Time = 0
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Received from 10.12.1.41 port 1813 ....
> > Code: Accounting-Response
> > Identifier: 19
> > Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Attributes:
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Received reply in AuthRADIUS for req
> > 19
> > from 10.12.1.41:1813
> > Tue Jun 17 00:48:38 2003: WARNING: Bad authenticator received in reply
> > to ID
> > 19
> > Tue Jun 17 00:48:38 2003: DEBUG: Accounting accepted
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Sending to 10.208.2.2 port 1812 ....
> > Code: Accounting-Response
> > Identifier: 37
> > Authentic: `<190>8<15><134><159><29><253>G<31><132><187><13>;ok
> > Attributes:
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Received from 10.12.1.41 port 1813 ....
> > Code: Accounting-Response
> > Identifier: 20
> > Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> > Attributes:
> >
> > Tue Jun 17 00:48:38 2003: DEBUG: Received reply in AuthRADIUS for req
> > 20
> > from 10.12.1.41:1813
> > Tue Jun 17 00:48:38 2003: WARNING: Bad authenticator received in reply
> > to ID
> > 20
> > Tue Jun 17 00:48:38 2003: DEBUG: Accounting accepted
> > Tue Jun 17 00:48:38 2003: DEBUG: Packet dump:
> > *** Sending to 10.208.2.2 port 1812 ....
> > Code: Accounting-Response
> > Identifier: 37
> > Authentic: `<190>8<15><134><159><29><253>G<31><132><187><13>;ok
> > Attributes:
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list