Re: (RADIATOR) Accounting requests and online sessions.

Thu, 13 Jan 2000 12:30:48 -0800 

Hola Antonio,

Antonio Coloma wrote:
> 
>             Hi everybody,
> 
>             We have detected that a session is added to the
> DatabaseSession only when Radiator gets an Start accounting-request, not
> when it receives an Access Request and this request is accepted. Why?
> Shouldn't add to session database when user is accepted?

Accepting an Access Request is not a warranty of a started session, and this is
because in Radius there isn't a clear difference between authentication and
authorization phases. The information that NAS will use for some authorization
check is received in the Radius Access Request ACK, and with this information
NAS can deny the access because an authorization fault.

A very common example: NAS sends access-request after LCP authentication ( pap,
chap or ms-chap ), but before IPCP negotiation. Radius server acks this
user-password and includes peer IP address information in the packet. This isn't
authentication information, it's authorization info. In this moment NAS starts
IPCP negotiation, but if there is no agree about the peer ip address negotiated,
it's considered an authorization error and the user refused, and the session has
never started. The only thing that NAS can do in this situation is to send an
Stop-without-previous-Start accounting record for the Radius server information.
This stop-without-start accounting record is VERY important for Radius server if
the server is managing ip address pools or it can't free the asigned ip address
for the failed session.

>             What happens If the start accounting-request arrives later
> than the stop accounting request?
> 

I suppose this is a intrinsic danger of Radius stateless orientation. :(

F�lix
 
______________________________________________________________________
DATAGRAMA SERVICIOS GLOBALES IP
C/ Acer 30                                       Pho: +34 93 223 00 98
08038 Barcelona ( SPAIN )                        Fax: +34 93 223 12 66
mailto:[EMAIL PROTECTED]               http://www.datagrama.net
______________________________________________________________________

�
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to