(RADIATOR) 802.1X Authenticators - Common Accounting Problems

Terry Simons galimore at mac.com
Thu Jun 10 14:31:37 CDT 2004


Thanks Michael,

I would like to gather a list of "known broken authenticators", so this 
is helpful.

I'll add the following to the list:

Proxim AP 2000
	Broken Acct-Session-Id (uses MAC address)
	Does not account Calling/Called-Station-Id

Example:

Attributes:
         User-Name = "u0123456 at utah.edu"
         Acct-Session-Id = "00-d0-b7-20-e2-6e"
         NAS-Identifier = "w1-3-304a"
         NAS-IP-Address = 155.97.2.214
         NAS-Port = 9
         NAS-Port-Type = Wireless-IEEE-802-11
         Acct-Authentic = RADIUS
         Acct-Status-Type = Stop
         Timestamp = 1086895670
         Acct-Delay-Time = 0

On Jun 10, 2004, at 10:30 AM, Michael Ting wrote:

> Hello,
>
>   Just something related to this subject to share:
>
>   It seems that the Acct-Session-Id of the 802.1x start and stop 
> accounting
> records sent out by Cisco CatOS 4000 switches don't match either.
>
> ----------------------------------------------------------------
> Attributes:
>         User-Name = "ziaul at md5"
>         NAS-IP-Address = 132.163.5.31
>         NAS-Port = 60402
>         Calling-Station-Id = "00-10-a4-bb-aa-9c"
>         NAS-Port-Type = Ethernet
>         Acct-Status-Type = Start
>         Acct-Authentic = RADIUS
>         Acct-Session-Id = "Thu Jun 10 2004, 09:37:13  9000"
> Attributes:
>         User-Name = "ziaul at md5"
>         NAS-IP-Address = 132.163.5.31
>         NAS-Port = 60402
>         Calling-Station-Id = "00-10-a4-bb-aa-9c"
>         NAS-Port-Type = Ethernet
>         Acct-Status-Type = Stop
>         Acct-Authentic = RADIUS
>         Acct-Terminate-Cause = Port-Error
>         Acct-Session-Id = "Thu Jun 10 2004, 09:37:49  1773"
> ----------------------------------------------------------------
>
>
> Michael
>
>
>
> Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
> *** Received from 132.163.5.31 port 2354 ....
> Code:       Accounting-Request
> Identifier: 3
> Authentic:  T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
> Attributes:
>         User-Name = "ziaul at md5"
>         NAS-IP-Address = 132.163.5.31
>         NAS-Port = 60402
>         Calling-Station-Id = "00-10-a4-bb-aa-9c"
>         NAS-Port-Type = Ethernet
>         Acct-Status-Type = Start
>         Acct-Authentic = RADIUS
>         Acct-Session-Id = "Thu Jun 10 2004, 09:37:13  9000"
>
> Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul at md5
> Thu Jun 10 09:37:14 2004: DEBUG: Handling request with Handler 'Realm 
> = /MD5/i'
> Thu Jun 10 09:37:14 2004: DEBUG: Rewrote user name to ziaul
> Thu Jun 10 09:37:14 2004: DEBUG:  Adding session for ziaul at md5, 
> 132.163.5.31,
> 60402
> Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'delete from RADONLINE 
> where
> NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu 
> Jun 10
> 2004, 09:37:13  9000'':
>
> Thu Jun 10 09:37:14 2004: DEBUG: do query is: 'insert into RADONLINE 
> (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, 
> NASPORTTYPE,
> SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10 
> 2004,
> 09:37:13  9000', 1086881834, '', 'Ethernet', '')':
>
> Thu Jun 10 09:37:14 2004: ERR: do failed for 'insert into RADONLINE 
> (USERNAME,
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, 
> NASPORTTYPE,
> SERVICETYPE) values ('ziaul at md5', '132.163.5.31', 60402, 'Thu Jun 10 
> 2004,
> 09:37:13  9000', 1086881834, '', 'Ethernet', '')': Duplicate entry
> '132.163.5.31-60402' for key 1
> Thu Jun 10 09:37:14 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 10 09:37:14 2004: DEBUG: Accounting accepted
> Thu Jun 10 09:37:14 2004: DEBUG: Packet dump:
> *** Sending to 132.163.5.31 port 2354 ....
> Code:       Accounting-Response
> Identifier: 3
> Authentic:  T*<186><2><140><207><128><190>o<185><226><x<232><221><178>
> Attributes:
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:802
>         Tunnel-Private-Group-ID = 1:VLAN0252
>
> Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
> *** Received from 132.163.5.31 port 2354 ....
> Code:       Accounting-Request
> Identifier: 4
> Authentic:  a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
> Attributes:
>         User-Name = "ziaul at md5"
>         NAS-IP-Address = 132.163.5.31
>         NAS-Port = 60402
>         Calling-Station-Id = "00-10-a4-bb-aa-9c"
>         NAS-Port-Type = Ethernet
>         Acct-Status-Type = Stop
>         Acct-Authentic = RADIUS
>         Acct-Terminate-Cause = Port-Error
>         Acct-Session-Id = "Thu Jun 10 2004, 09:37:49  1773"
>
> Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul at md5
> Thu Jun 10 09:37:51 2004: DEBUG: Handling request with Handler 'Realm 
> = /MD5/i'
> Thu Jun 10 09:37:51 2004: DEBUG: Rewrote user name to ziaul
> Thu Jun 10 09:37:51 2004: DEBUG:  Deleting session for ziaul at md5, 
> 132.163.5.31,
> 60402
> Thu Jun 10 09:37:51 2004: DEBUG: do query is: 'delete from RADONLINE 
> where
> NASIDENTIFIER='132.163.5.31' and NASPORT=60402 and ACCTSESSIONID='Thu 
> Jun 10
> 2004, 09:37:49  1773'':
>
> Thu Jun 10 09:37:51 2004: DEBUG: Handling with Radius::AuthFILE:
> Thu Jun 10 09:37:51 2004: DEBUG: Accounting accepted
> Thu Jun 10 09:37:51 2004: DEBUG: Packet dump:
> *** Sending to 132.163.5.31 port 2354 ....
> Code:       Accounting-Response
> Identifier: 4
> Authentic:  a<9>H<209><224><145><6><138>7s<214>T<10><166><223><208>
> Attributes:
>         Tunnel-Type = 1:VLAN
>         Tunnel-Medium-Type = 1:802
>         Tunnel-Private-Group-ID = 1:VLAN0252
>
>
>
>> -----Original Message-----
>> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
>> Behalf Of Hugh Irvine
>> Sent: Thursday, June 10, 2004 9:20 AM
>> To: Terry Simons
>> Cc: 'radiator at open.com.au'
>> Subject: Re: (RADIATOR) 802.1X Authenticators - Common Accounting
>> Problems
>>
>>
>>
>> Hello Terry -
>>
>> Excellent work - thanks for sharing it! I agree with all your
>> assertions.
>>
>> Another point that I would make is that some wireless vendors do not 
>> do
>> accounting at all, and this should be considered unacceptable.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 10 Jun 2004, at 08:23, Terry Simons wrote:
>>
>>> Hi all,
>>>
>>> I have drafted an initial (small) document subset that is going to be
>>> incorporated into the University of Utah 802.1X Authenticator 
>>> decision
>>> making Best Practices.  This document will be our official test
>>> outline for 802.1X purchases, and I thought I should probably share
>>> this piece with everybody, since it affects more than just our
>>> university.
>>>
>>> Hugh & Mike, I would be especially grateful if the two of you would
>>> read over my document and correct any RADIUS mistakes, or tell me if
>>> you think I left anything out, or maybe if I am incorrect in my
>>> assumptions about something.
>>>
>>> I would also like input from other entities that have deployed 
>>> 802.1X,
>>> or are considering deploying 802.1X.  This document addresses the
>>> biggest concerns I have with 802.1X authenticators right now, and the
>>> more vendors I test, the more I am concerned.  Nobody seems to have
>>> gotten it right, and I want to know if others think that maybe I 
>>> have.
>>> ;)
>>>
>>> Anyway... here is the document.
>>>
>>> Thanks!
>>>
>>> - Terry
>>>
>>> <802.1X Authenticators and RADIUS Accounting.rtf>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list