Discussion:
Accounting response with attributes
Chandan Kumar
2015-01-14 17:23:34 UTC
Permalink
Hello All,

I am using FreeRADIUS Version 3.0.4 on Linux (CentOS 6).

I have a question regarding how can I force radius server to add all
attribute information into accounting response message. The accounting
section of my site-available/default if as below.

accounting {

detail
unix
-sql
exec
}

I have customized the pam_radius_auth.so module to send Accounting
request messages to include more attributes such as
Acct-Terminate-Cause,Acct-Link-Count,Acc-authentic etc and expecting
response from server with attribute [with reason code] at the end of the
accounting [at the STOP message]. However, in all cases I am only
getting response message with code,identifier,length=20 and
response-authenticator.

I am wondering is there any configuration parameter that I missing or it
is not supported at all in this version of FreeRADIUS as RFC does not
make it mandatory. Quoting RFC "A RADIUS Accounting-Response is not
required to have any attributes in it."

Thanks
Chandan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2015-01-14 17:41:59 UTC
Permalink
I have a question regarding how can I force radius server to add all attribute information into accounting response message.
Accounting-Response packets aren’t allowed to have any attributes in them.
I have customized the pam_radius_auth.so module to send Accounting request messages to include more attributes such as Acct-Terminate-Cause,Acct-Link-Count,Acc-authentic etc and expecting response from server with attribute [with reason code] at the end of the accounting [at the STOP message]. However, in all cases I am only getting response message with code,identifier,length=20 and response-authenticator.
Did you tell FreeRADIUS to add attributes to the response?

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chandan Kumar
2015-01-14 17:52:18 UTC
Permalink
Thanks for your prompt response. Please find my in-line reply.
Post by Alan DeKok
I have a question regarding how can I force radius server to add all attribute information into accounting response message.
Accounting-Response packets aren’t allowed to have any attributes in them.
I have customized the pam_radius_auth.so module to send Accounting request messages to include more attributes such as Acct-Terminate-Cause,Acct-Link-Count,Acc-authentic etc and expecting response from server with attribute [with reason code] at the end of the accounting [at the STOP message]. However, in all cases I am only getting response message with code,identifier,length=20 and response-authenticator.
Did you tell FreeRADIUS to add attributes to the response?
I am not sure about that. I am adding attributes in the start and stop
message[from Linux client]. How to tell FreeRADIUS to add attributes to
the response?
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Peter Lambrechtsen
2015-01-14 18:48:15 UTC
Permalink
There is an Ericsson element manager SO-EM that for whatever stupid reason
needs the accounting response to include the profile for the user. The
accounting request includes the username and the respose needs to include
the profile assigned to the user in the response. I had endless arguments
with the developers of the product saying they were doing it wrong. But got
no where.

So instead I used the files module to return the required VSAs in the
accounting response.

It still bugs me I had to do it. But that's the way they decided to
implement their app.
Post by Chandan Kumar
Thanks for your prompt response. Please find my in-line reply.
Post by Alan DeKok
Post by Chandan Kumar
I have a question regarding how can I force radius server to add all
attribute information into accounting response message.
Accounting-Response packets aren’t allowed to have any attributes in them.
I have customized the pam_radius_auth.so module to send Accounting
Post by Chandan Kumar
request messages to include more attributes such as
Acct-Terminate-Cause,Acct-Link-Count,Acc-authentic etc and expecting
response from server with attribute [with reason code] at the end of the
accounting [at the STOP message]. However, in all cases I am only getting
response message with code,identifier,length=20 and response-authenticator.
Did you tell FreeRADIUS to add attributes to the response?
I am not sure about that. I am adding attributes in the start and stop
message[from Linux client]. How to tell FreeRADIUS to add attributes to the
response?
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html
-
List info/subscribe/unsubscribe? See http:
Alan DeKok
2015-01-14 18:54:02 UTC
Permalink
Post by Peter Lambrechtsen
There is an Ericsson element manager SO-EM that for whatever stupid reason
needs the accounting response to include the profile for the user. The
accounting request includes the username and the respose needs to include
the profile assigned to the user in the response. I had endless arguments
with the developers of the product saying they were doing it wrong. But got
no where.
Next time include me in the conversation. I’ll pull rank as the resident RADIUS expert. I’ve written multiple RADIUS standards on how to do things “the RADIUS way”.

And putting *authorization* data into an *accounting* packet is stupid. It means they don’t understand how RADIUS works. And worse, they don’t care.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2015-01-14 18:52:02 UTC
Permalink
Post by Alan DeKok
Did you tell FreeRADIUS to add attributes to the response?
I am not sure about that. I am adding attributes in the start and stop message[from Linux client]. How to tell FreeRADIUS to add attributes to the response?
The server contains lots of documentation on how to do that. See “man unlang”, or the hundreds of examples in the configuration files.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chandan Kumar
2015-01-14 19:47:52 UTC
Permalink
Post by Alan DeKok
Post by Alan DeKok
Did you tell FreeRADIUS to add attributes to the response?
I am not sure about that. I am adding attributes in the start and stop message[from Linux client]. How to tell FreeRADIUS to add attributes to the response?
The server contains lots of documentation on how to do that. See “man unlang”, or the hundreds of examples in the configuration files.
Thanks, I will browse through the examples and see if I could get it
work. Moreover, I was looking through old archive emails related to
"accounting response" and I found repetitively you mentioned that
sending attribute values in accounting response is not a good idea [for
compatibility purpose] even though RFC does not specificity bars it.
Being a novice in RADIUS I am not aware of other ways to pull these
information [such as Acct-Terminate-Cause (with reason
code),Acct-Session-Time and other attribute values ] from the FreeRADIUS
server, if I want to make my Linux client(NAS) to be compatible across
different RADIUS servers [FreeRADIUS and other RADIUS servers]
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2015-01-14 20:31:30 UTC
Permalink
Thanks, I will browse through the examples and see if I could get it work. Moreover, I was looking through old archive emails related to "accounting response" and I found repetitively you mentioned that sending attribute values in accounting response is not a good idea [for compatibility purpose] even though RFC does not specificity bars it.
RFC 2866 says:

5.13. Table of Attributes

The following table provides a guide to which attributes may be found
in Accounting-Request packets. No attributes should be found in
Accounting-Response packets except Proxy-State and possibly Vendor-
Specific.

So that’s pretty clear.
Being a novice in RADIUS I am not aware of other ways to pull these information [such as Acct-Terminate-Cause (with reason code),Acct-Session-Time and other attribute values ] from the FreeRADIUS server,
I have no idea what that means.

You don’t “pull” any attributes from the server. The NAS sends attributes to the server, and the server processes them. Most attributes such as Acct-Session-Time belong in the Accounting-Request packet. There is NO REASON for them to exist in an Accounting-Response packet. They will have NO MEANING in that packet.

I have to ask.. why do you need these attributes in the Accounting-Response? What will the NAS do with them?
if I want to make my Linux client(NAS) to be compatible across different RADIUS servers [FreeRADIUS and other RADIUS servers]
PLEASE don’t write your own RADIUS client. It’s a terrible idea. Use freeradius-client:

https://github.com/FreeRADIUS/freeradius-client/

I also have no idea what you mean by “compatible across different RADIUS servers”. RADIUS servers don’t send attributes in Accounting-Response packets. If your NAS requires that, your NAS is wrong, and it WILL NOT be compatible with any RADIUS server.

I really can’t make this any clearer. Putting attributes into Accounting-Response packets is *completely wrong*. There is no reason *ever* do it.

Please explain WHY you’re doing this. And what the NAS is doing with those attributes. Odds are that your assumptions about RADIUS are wrong. And as a result, your implementation is wrong, too.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chandan Kumar
2015-01-14 20:49:54 UTC
Permalink
Post by Alan DeKok
Thanks, I will browse through the examples and see if I could get it work. Moreover, I was looking through old archive emails related to "accounting response" and I found repetitively you mentioned that sending attribute values in accounting response is not a good idea [for compatibility purpose] even though RFC does not specificity bars it.
5.13. Table of Attributes
The following table provides a guide to which attributes may be found
in Accounting-Request packets. No attributes should be found in
Accounting-Response packets except Proxy-State and possibly Vendor-
Specific.
So that’s pretty clear.
Being a novice in RADIUS I am not aware of other ways to pull these information [such as Acct-Terminate-Cause (with reason code),Acct-Session-Time and other attribute values ] from the FreeRADIUS server,
I have no idea what that means.
You don’t “pull” any attributes from the server. The NAS sends attributes to the server, and the server processes them. Most attributes such as Acct-Session-Time belong in the Accounting-Request packet. There is NO REASON for them to exist in an Accounting-Response packet. They will have NO MEANING in that packet.
I have to ask.. why do you need these attributes in the Accounting-Response? What will the NAS do with them?
I am looking for a way to have the Accounting/Billing information [such
as session time, reason for disconnection, packet transferred etc ]
available at the NAS (Linux Client).
Post by Alan DeKok
if I want to make my Linux client(NAS) to be compatible across different RADIUS servers [FreeRADIUS and other RADIUS servers]
https://github.com/FreeRADIUS/freeradius-client/
Thanks. I am using pam_radius_auth.so module. I will also explore
"freeradius-client".
Post by Alan DeKok
I also have no idea what you mean by “compatible across different RADIUS servers”. RADIUS servers don’t send attributes in Accounting-Response packets. If your NAS requires that, your NAS is wrong, and it WILL NOT be compatible with any RADIUS server.
I really can’t make this any clearer. Putting attributes into Accounting-Response packets is *completely wrong*. There is no reason *ever* do it.
Please explain WHY you’re doing this. And what the NAS is doing with those attributes. Odds are that your assumptions about RADIUS are wrong. And as a result, your implementation is wrong, too.
Basically all accounting information is available on the RADIUS server,
I am looking for a way if I could make those accounting information
[session time, reason for disconnection, packet transferred etc]
available at the NAS (Linux client). Including vendor specific
attributes if available.
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2015-01-14 21:01:09 UTC
Permalink
I am looking for a way to have the Accounting/Billing information [such as session time, reason for disconnection, packet transferred etc ] available at the NAS (Linux Client).
That statement makes no sense.

The NAS is supposed to track that information, and send it to the RADIUS server. There is NO WAY for the RADIUS server to invent that information, and send it to the NAS.
Thanks. I am using pam_radius_auth.so module. I will also explore "freeradius-client”.
The pam_radius_auth code should be used for PAM. It’s fine.
Basically all accounting information is available on the RADIUS server, I am looking for a way if I could make those accounting information [session time, reason for disconnection, packet transferred etc] available at the NAS (Linux client). Including vendor specific attributes if available.
No. Don’t do this. It’s a TERRIBLE idea. And it won’t work with pam_radius_auth. The pam_radius_auth module is called ONLY when the user logs in. And when the user logs in… he has no accounting data.

If you want to reject the user because he’s used too much data, implement that in FreeRADIUS. The server has all of that information, and you can easily create policies there.

Doing this in the NAS is *completely wrong*.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Chandan Kumar
2015-01-14 21:26:18 UTC
Permalink
Post by Alan DeKok
I am looking for a way to have the Accounting/Billing information [such as session time, reason for disconnection, packet transferred etc ] available at the NAS (Linux Client).
That statement makes no sense.
The NAS is supposed to track that information, and send it to the RADIUS server. There is NO WAY for the RADIUS server to invent that information, and send it to the NAS.
Got it.
Post by Alan DeKok
Thanks. I am using pam_radius_auth.so module. I will also explore "freeradius-client”.
The pam_radius_auth code should be used for PAM. It’s fine.
Basically all accounting information is available on the RADIUS server, I am looking for a way if I could make those accounting information [session time, reason for disconnection, packet transferred etc] available at the NAS (Linux client). Including vendor specific attributes if available.
No. Don’t do this. It’s a TERRIBLE idea. And it won’t work with pam_radius_auth. The pam_radius_auth module is called ONLY when the user logs in. And when the user logs in… he has no accounting data.
If you want to reject the user because he’s used too much data, implement that in FreeRADIUS. The server has all of that information, and you can easily create policies there.
Doing this in the NAS is *completely wrong*.
Make sense. Thanks for your patience and prompt response, it was really
helpful. So basically I won't change the pam_radius_auth at all for
accounting related changes [I will use it only for authentication],
rather if required will use the radius client for accounting related
activities to keep the implementation[application] clean. Moreover, will
write policies, if required, at the FreeRADIUS server side to Accept/Reject.
Post by Alan DeKok
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Continue reading on narkive:
Loading...