Yessir- so noted, and highlighted in TAC case notes as it's just too precise and repetitive to not have meaning.
Lee -----Original Message----- From: Max Garcia [mailto:[EMAIL PROTECTED] Sent: Friday, June 13, 2008 10:21 AM To: Lee H Badman; The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: [EMAIL PROTECTED] Subject: RE: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client One thing we noticed but didn't mention because we had no idea what it means or how it could be related, is that when the 5 starts come through, they are exactly 7 seconds apart, which sounds like a timeout, resend, reset kinda thing. But we couldn't see why. ________________________________ From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Fri 6/13/2008 10:04 AM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: Max Garcia; [EMAIL PROTECTED] Subject: RE: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client Curious. To back up, this is meaningful to us not just as a curiosity, but we are using the accounting starts as a trigger to a process, and the multiple successive starts are causing a bit of noise pollution. I started reviewing the RADIUS Accounting RFP: http://www.ietf.org/rfc/rfc2866.txt Some nuggets I get from this (and would welcome someone who smarter on this to correct me)- - It seems that any "service" started and stopped for a client- like perhaps outer/inner auth mechanisms- should each have their own start and stop. Perhaps this explains some of the seeming duplicates? - These services have an accounting field, but all I see are two dots- like some service is generating a start or stop, but can't be identified in our ACS (if we could see named services), it might help shed light - There is the concept of multi-linked sessions, where each link has a start and eventual stop, but I have no idea if this could be relevant in this case- I just enabled the field for multi-links and will see if this starts to populate So I can start to get a very fuzzy picture of "OK, maybe multiple starts and stops for the same client in RADIUS accounting might be explained". But the fact that the Framed IP Address is off on another network/VLAN and "foreign" controllers are being named as NAS on some of these records has me thinking that perhaps there is LWAPP voodoo afoot... (maybe). No theories back from TAC yet. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Hector J Rios Sent: Friday, June 13, 2008 9:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client We do run PEAP w/MS-CHAPv2. We support all supplicants. And we so see the issue on both Windows and Macs. I've checked one or two Linux users and so far they look consistent. Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, June 13, 2008 8:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client Hector (and Stephen) - Are you both running PEAP w/ MS-CHAP v2? And do you force the use of any one supplicant (like Windows. Or Odyssey?) And for what it's worth I'm seeing this on Windows and Mac- but not all clients. Lee ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Hector J Rios Sent: Thursday, June 12, 2008 9:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client Lee, Just to let you know, we are running version 4.1 and have seen the same thing. I'd be interested to hear what TAC has to say. Hector Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Thursday, June 12, 2008 3:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Multiple RADIUS accounting "starts" for same client Here's a weird one- wondering if anyone else may have experienced the same using LWAPP, WiSMs, 802.1x, and Cisco ACS. RADIUS Accounting log sample: Client Calling ID Framed IP Address Controller 6/10/2008 10:43:03 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.85.69 29 10.21.0.21 6/10/2008 10:43:10 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.193.201 29 10.21.0.21 6/10/2008 10:43:17 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.106.64 29 10.21.0.43 6/10/2008 10:43:24 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.45.246 29 10.21.0.41 6/10/2008 10:43:31 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.195.59 29 10.21.0.23 6/10/2008 10:43:38 User1 Default Group 128.230.190.150 Start 484e92f6/00:17:f2:ef:21:a8/480066 128.230.149.78 29 10.21.0.29 Single user, multiple RADIUS starts reported, seven seconds apart. User IP (client calling ID) not matching Framed IP Address- and controllers that have APs that can't possibly be within client earshot all claiming to forward the RADIUS logging... If you look at the end column, it shows what controller is sending the RADIUS start. In this case, 6 different controllers are sending a "start". In the framed IP address column, there is no real-world indication that those addresses are being used in any shape or form- and many of them are on a different network than the user address in the Client Calling ID space. Sorta feels like corrupt data being reported. We are seeing this frequently enough to be noteworthy- but clients are sailing through the authentication process with absolutely no trouble or signs of behind-the scenes weirdness. Have opened a TAC case- but thought I'd float this to the group. (I can't tie this to any of the 150+ open caveats on the WiSMs). Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.