4.5 Accounting-specific Attributes
In the following section,
I'll cover the
attributes of the global RADIUS space that are specific to the
accounting phase of an AAA transaction. Much like in Chapter 3, each of the current 12 accounting-specific
attributes will be a separate tidbit of information, including an
at-a-glance properties chart and a short discussion of key points and
important considerations. Again, Appendix A is
a chart of the entire global RADIUS attribute list, covering all
phases of the AAA model, and should serve as a useful quick
reference.
|
Attribute Number
|
40
|
|
Length
|
6
|
|
Value
|
ENUM
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Required
|
|
Maximum Iterations
|
1
|
This attribute indicates whether the
Accounting-Request packet is being sent upon the
user first authenticating and connecting to the network or upon the
user finishing use of the services and disconnecting. It can also be
used to mark when to start and stop accounting should the RADIUS
client gear require rebooting or other system maintenance. Note that
when RADIUS client gear crashes, stop records in general are not sent
to the accounting server. Obviously, this has the potential to mess
up accounting data, and a crashed client is not all that uncommon.
The payload value of the attribute contains 15 possible values, each
of which are listed in Table 4-1.
Table 4-1. Values for the Acct-Status-Type attribute
|
1
|
Start
|
|
2
|
Stop
|
|
3
|
Interim-Update
|
|
7
|
Accounting-On
|
|
8
|
Accounting-Off
|
|
9 -14
|
Reserved; used for tunnel accounting
|
|
15
|
Reserved; used for failed attempts
|
|
Attribute Number
|
41
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The Acct-Delay-Time attribute records how many
seconds the client has been trying to push this packet through to the
accounting server. While the significance of this attribute may seem
less than overwhelming on the outset, by subtracting this value from
the time a packet arrives at the accounting server, the time of the
request-generating event (a sign-on, sign-off, termination, etc.) can
be computed. Network transit time is not factored into this
calculation.
As I mentioned earlier, when the attributes of any accounting packet
change, the identifier associated with the packet must be changed as
well. This rule carries over into this attribute specifically: when
the delay time is changed, a new identifier must be generated for the
new packet.
|
Attribute Number
|
42
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request, interim updates
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, which can only be found in
Accounting-Request packets with
Acct-Status-Type set to code 2
(Stop) or interim updates (covered in Chapter 9),
indicates the number of incoming octets passed through a specific
client port during one session.
|
Attribute Number
|
43
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The opposite of Acct-Input-Octets, this attribute,
which can only be found in Accounting-Request
packets with the Acct-Status-Type set to code
2 (Stop), indicates the number of outgoing octets
transmitted through a specific client port during one session.
|
Attribute Number
|
44
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Required
|
|
Maximum Iterations
|
1
|
This attribute is used to uniquely identify a session so that
accounting stop and start records can be collated and recorded
accurately. There are a few considerations as to the packets that
these attributes can be found in:
- Accounting-Request packets
-
are required to have Acct-Session-ID.
- Access-Request packets
-
are allowed to contain this attribute. If this is the case, then the
RADIUS client gear is required to use the same session ID in all
packets pertaining to that connection for the duration of that
session.
The RFC requires that this session ID be printed using the UTF-8
10646 character set. From RFC 2866: "For example,
one implementation uses a string with an 8-digit upper case
hexadecimal number, [sic] the first two digits increment on each
reboot (wrapping every 256 reboots) and the next 6 digits counting
from 0 for the first person logging in after a reboot up to
224-1, about 16 million. Other encodings
are possible."
In practice, however, RADIUS client equipment tends to not send the
Acct-Session-ID attributes using unique values.
Many reuse these values across reboots, which can make tracking a
session in its entirety using accounting data much more difficult.
|
Attribute Number
|
45
|
|
Length
|
6
|
|
Value
|
ENUM
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This optional attribute indicates the method with which the
user's declared identity was verified. There are
three possible values for this attribute, which are listed in Table 4-2.
Table 4-2. Values for the Acct-Authentic attribute
|
1
|
RADIUS
|
|
2
|
Local
|
|
3
|
Remote
|
The second value, "Local," within
the context of this attribute signifies that the client verified the
identity of this user of its own accord through an authentication
method other than RADIUS. This can cause problems when matching
accounting data to authentication/authorization information, since no
authorization data exists for the session.
|
Attribute Number
|
46
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request, interim updates
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found in Accounting-Request
packets and interim records, indicates the time in seconds that a
user has been connected. Note that this attribute can only be present
when the Acct-Status-Type attribute inside the
request packet is set to code 2 (Stop).
|
Attribute Number
|
47
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request, interim updates
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, which can only be found in
Accounting-Request packets with the
Acct-Status-Type set to code 2
(Stop) and in interim accounting updates, indicates the number of
incoming packets passed through a specific RADIUS client port to a
framed user during one session.
|
Attribute Number
|
48
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request, interim updates
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The opposite of Acct-Input-Packets, this
attribute, which can only be found in
Accounting-Request packets with the
Acct-Status-Type set to code 2
(Stop) and in interim accounting updates, indicates the number of
outgoing packets transmitted through a specific client port from a
framed user during one session.
|
Attribute Number
|
49
|
|
Length
|
6
|
|
Value
|
ENUM
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The Acct-Terminate-Cause attribute indicates the
reason, if possible and applicable, that a user's
session was ended. Like a good number of the other accounting
attributes, the request packet must contain the
Acct-Status-Type attribute set to Stop (code
2).
Listed in Table 4-3 are the 18 possible values for
this attribute.
Table 4-3. Values for the Acct-Terminate-Cause attribute
|
1
|
User Request
|
|
2
|
Lost Carrier
|
|
3
|
Lost Service
|
|
4
|
Idle Timeout
|
|
5
|
Session Timeout
|
|
6
|
Admin Reset
|
|
7
|
Admin Reboot
|
|
8
|
Port Error
|
|
9
|
NAS Error
|
|
10
|
NAS Request
|
|
11
|
NAS Reboot
|
|
12
|
Port Unneeded
|
|
13
|
Port Preempted
|
|
14
|
Port Suspended
|
|
15
|
Service Unavailable
|
|
16
|
Callback
|
|
17
|
User Error
|
|
18
|
Host Request
|
Let's take a closer look at each of these
termination causes:
- User Request
-
The user initiated the termination by logging off.
- Lost Carrier
-
The port could no longer hold DCD.
- Lost Service
-
For some reason, the service is unavailable for continued provision.
Connection interruptions are the most likely cause.
- Idle Timeout
-
The configured limit for an idle connection was reached.
- Session Timeout
-
The configured limit for the length of a single session was reached.
- Admin Reset
-
The system administrator reset hardware necessary to continue the
connection.
- Admin Reboot
-
The system administrator is terminating all service on a particular
machine, most likely immediately preceding a reboot.
- Port Error
-
The NAS gear encountered an error in the port; service could not be
continued.
- NAS Error
-
The NAS gear encountered an error somewhere other than in the port;
service could not be continued.
- NAS Request
-
The NAS gear terminated the connection for another, unknown reason.
- NAS Reboot
-
The NAS gear "crashed" and required
a reboot. (This attribute is used almost exclusively for
nonadministrative restarts.) Unfortunately, this is not a reliable
mechanism, as this signal is often not sent on a reboot. Lobby your
NAS manufacturer for a fix if your equipment is affected by this.
- Port Unneeded
-
The NAS, through some algorithm, determined that the port was no
longer needed to continue maintaining a certain threshold of quality
of service.
- Port Preempted
-
A higher priority thread required the use of the port.
- Port Suspended
-
The NAS requested to end a virtual session by suspending it.
- Service Unavailable
-
For whatever reason, the NAS gear is unavailable to service the
request.
- Callback
-
The NAS is ending the current connection so that it may dial the user
back to continue his service.
- User Error
-
The user input data incorrectly.
- Host Request
-
The host ended the session predictably and as expected.
|
Attribute Number
|
50
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
Unlimited
|
This attribute contains a unique ID that can be used to
"thread" data from multiple related
sections together into one log file. The
Acct-Session-ID for each session would be unique,
but all would be linked by a common
Acct-Multi-Session-ID. This is useful for
applications where multilinking and channel-bonding services, such as
multilink PPP, are provided and supported. More details on these
services are provided in Chapter 6.
|
Attribute Number
|
51
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
Unlimited
|
This attribute indicates the number of current sessions in a
multilink transaction. The way this value is determined is of
particular interest. Let's examine it more closely.
The value field simply shows the number of times links have been
observed by the accounting server whose connections are using the
same Acct-Multi-Session-ID. The following is a
tabulation example of link counts. By using these link counts
and enumerating each Accounting
Stop packet received, the accounting server can determine
when its recordkeeping is complete for any given multilink session:
Multi-Session-ID Session-ID Status-Type Link-Count
52 21 Start 1
52 22 Start 2
52 23 Start 3
52 22 Stop 3
52 21 Stop 3
52 24 Start 4
52 23 Stop 4
52 22 Stop 4
|
