(RADIATOR) 802.1X Authenticators - Common Accounting Problems

Michael Ting sting at boulder.nist.gov
Thu Jun 10 11:30:26 CDT 2004 

Hello,

  Just something related to this subject to share:

  It seems that the Acct-Session-Id of the 802.1x start and stop accounting
records sent out by Cisco CatOS 4000 switches don't match either.

----------------------------------------------------------------
Attributes:
        User-Name = "ziaul at md5"
        NAS-IP-Address = 132.163.5.31
        NAS-Port = 60402
        Calling-Station-Id = "00-10-a4-bb-aa-9c"
        NAS-Port-Type = Ethernet
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Acct-Session-Id = "Thu Jun 10 2004, 09:37:13  9000"
Attributes:
        User-Name = "ziaul at md5"
        NAS-IP-Address = 132.163.5.31
        NAS-Port = 60402
        Calling-Station-Id = "00-10-a4-bb-aa-9c"
        NAS-Port-Type = Ethernet
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = Port-Error
        Acct-Session-Id = "Thu Jun 10 2004, 09:37:49  1773"
----------------------------------------------------------------


Michael



Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
*** Received from 132.163.5.31 port 2354 ....
Code:       Accounting-Request
Identifier: 3
Authentic:  T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
Attributes:
        User-Name = "ziaul at md5"
        NAS-IP-Address = 132.163.5.31
        NAS-Port = 60402
        Calling-Station-Id = "00-10-a4-bb-aa-9c"
        NAS-Port-Type = Ethernet
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Acct-Session-Id = "Thu Jun 10 2004, 09:37:13  9000"

Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul at md5
Thu Jun 10 09:37:14 2004: DEBUG: Handling request with Handler 'Realm = /MD5/i'
Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul
Thu Jun 10 09:37:14 2004: DEBUG:  Adding session for ziaul at md5, 132.163.5.31,
60402
Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu Jun 10
2004, 09:37:13  9000'':

Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10 2004,
09:37:13  9000', 1086881834, '', 'Ethernet', '')':

Thu Jun 10 09:37:14 2004: ERR: do failed for 'insert into RADONLINE (USERNAME,
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE,
SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10 2004,
09:37:13  9000', 1086881834, '', 'Ethernet', '')': Duplicate entry
'132.163.5.31-60402' for key 1
Thu Jun 10 09:37:14 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 10 09:37:14 2004: DEBUG: Accounting accepted
Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
*** Sending to 132.163.5.31 port 2354 ....
Code:       Accounting-Response
Identifier: 3
Authentic:  T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
Attributes:
        Tunnel-Type = 1:VLAN
        Tunnel-Medium-Type = 1:802
        Tunnel-Private-Group-ID = 1:VLAN0252

Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
*** Received from 132.163.5.31 port 2354 ....
Code:       Accounting-Request
Identifier: 4
Authentic:  a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
Attributes:
        User-Name = "ziaul at md5"
        NAS-IP-Address = 132.163.5.31
        NAS-Port = 60402
        Calling-Station-Id = "00-10-a4-bb-aa-9c"
        NAS-Port-Type = Ethernet
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Acct-Terminate-Cause = Port-Error
        Acct-Session-Id = "Thu Jun 10 2004, 09:37:49  1773"

Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul at md5
Thu Jun 10 09:37:51 2004: DEBUG: Handling request with Handler 'Realm = /MD5/i'
Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul
Thu Jun 10 09:37:51 2004: DEBUG:  Deleting session for ziaul at md5, 132.163.5.31,
60402
Thu Jun 10 09:37:51 2004: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu Jun 10
2004, 09:37:49  1773'':

Thu Jun 10 09:37:51 2004: DEBUG: Handling with Radius::AuthFILE:
Thu Jun 10 09:37:51 2004: DEBUG: Accounting accepted
Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
*** Sending to 132.163.5.31 port 2354 ....
Code:       Accounting-Response
Identifier: 4
Authentic:  a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
Attributes:
        Tunnel-Type = 1:VLAN
        Tunnel-Medium-Type = 1:802
        Tunnel-Private-Group-ID = 1:VLAN0252



> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
> Behalf Of Hugh Irvine
> Sent: Thursday, June 10, 2004 9:20 AM
> To: Terry Simons
> Cc: 'radiator at open.com.au'
> Subject: Re: (RADIATOR) 802.1X Authenticators - Common Accounting
> Problems
>
>
>
> Hello Terry -
>
> Excellent work - thanks for sharing it! I agree with all your
> assertions.
>
> Another point that I would make is that some wireless vendors do not do
> accounting at all, and this should be considered unacceptable.
>
> regards
>
> Hugh
>
>
> On 10 Jun 2004, at 08:23, Terry Simons wrote:
>
> > Hi all,
> >
> > I have drafted an initial (small) document subset that is going to be
> > incorporated into the University of Utah 802.1X Authenticator decision
> > making Best Practices.  This document will be our official test
> > outline for 802.1X purchases, and I thought I should probably share
> > this piece with everybody, since it affects more than just our
> > university.
> >
> > Hugh & Mike, I would be especially grateful if the two of you would
> > read over my document and correct any RADIUS mistakes, or tell me if
> > you think I left anything out, or maybe if I am incorrect in my
> > assumptions about something.
> >
> > I would also like input from other entities that have deployed 802.1X,
> > or are considering deploying 802.1X.  This document addresses the
> > biggest concerns I have with 802.1X authenticators right now, and the
> > more vendors I test, the more I am concerned.  Nobody seems to have
> > gotten it right, and I want to know if others think that maybe I have.
> > ;)
> >
> > Anyway... here is the document.
> >
> > Thanks!
> >
> > - Terry
> >
> > <802.1X Authenticators and RADIUS Accounting.rtf>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list