Re: (usr-tc) Radius question

13 Oct 1999

      Steve Valiunas writes...
...
. . .
...
...
But later, when it comes time to send another request, it has
"forgotten" that it previously incremented the identifier and merrily
uses the last one again!
Can you send along an example of this happening (using the same packet-ID
twice in a row for the same destination port and with current HiperArc code)?
If it is an issue it will be fixed.  Keep in mind though that it only
takes a couple hundred packets to wrap back around and reuse the same ID
again.
Sure.  As it happens, I still had the patch in my Radius to test
this, just a matter of changing the values.

First thing I tested was the auth, it now works fine, it doesn't
change the id on retransmit, and after a retransmit it correctly
increments the id.  If this was fixed intentionally, thanks.

Here's the acct test.  I patched our radius server to ignore request
ID 205.  I logged in, logged out (but ignored the stop), logged back
in, and the NAS has re-used ID 206 from the "retransmit" of the stop
for the start.

Code:       Accounting-Request
Identifier: 204
Attributes:
        Class = "902"
        User-Name = "nabil"
        Acct-Status-Type = Start
        Acct-Session-Id = "16777229"
        Acct-Delay-Time = 0
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        NAS-Port-Type = Async
        NAS-Port = 25
        USR-Modem-Training-Time = 18
        USR-Interface-Index = 1513
        USR-Chassis-Call-Slot = 2
        USR-Chassis-Call-Span = 1
        USR-Chassis-Call-Channel = 1
        USR-Unauthenticated-Time = 4
        Calling-Station-Id = ""
        USR-Modulation-Type = v90Digital
        USR-Simplified-MNP-Levels = ccittV42
        USR-Simplified-V42bis-Usage = ccittV42bis
        USR-Connect-Speed = 46666_BPS
        Framed-Protocol = PPP

Code:       Accounting-Response
Identifier: 204
Attributes:

Code:       Accounting-Request
Identifier: 205
Attributes:
        Class = "902"
        User-Name = "nabil"
        Acct-Status-Type = Stop
        Acct-Session-Id = "16777229"
        Acct-Delay-Time = 0
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        NAS-Port-Type = Async
        NAS-Port = 25
        USR-Modem-Training-Time = 18
        USR-Interface-Index = 1513
        USR-Chassis-Call-Slot = 2
        USR-Chassis-Call-Span = 1
        USR-Chassis-Call-Channel = 1
        USR-Unauthenticated-Time = 4
        Calling-Station-Id = ""
        USR-Modulation-Type = v90Digital
        USR-Simplified-MNP-Levels = ccittV42
        USR-Simplified-V42bis-Usage = ccittV42bis
        USR-Connect-Speed = 46666_BPS
        Framed-Protocol = PPP
        Acct-Session-Time = 9
        Acct-Terminate-Cause = User-Request
        Acct-Input-Octets = 440
        Acct-Output-Octets = 289
        Acct-Input-Packets = 15
        Acct-Output-Packets = 13

Code:       Accounting-Request
Identifier: 206
Attributes:
        Class = "902"
        User-Name = "nabil"
        Acct-Status-Type = Stop
        Acct-Session-Id = "16777229"
        Acct-Delay-Time = 60
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        NAS-Port-Type = Async
        NAS-Port = 25
        USR-Modem-Training-Time = 18
        USR-Interface-Index = 1513
        USR-Chassis-Call-Slot = 2
        USR-Chassis-Call-Span = 1
        USR-Chassis-Call-Channel = 1
        USR-Unauthenticated-Time = 4
        Calling-Station-Id = ""
        USR-Modulation-Type = v90Digital
        USR-Simplified-MNP-Levels = ccittV42
        USR-Simplified-V42bis-Usage = ccittV42bis
        USR-Connect-Speed = 46666_BPS
        Framed-Protocol = PPP
        Acct-Session-Time = 9
        Acct-Terminate-Cause = User-Request
        Acct-Input-Octets = 440
        Acct-Output-Octets = 289
        Acct-Input-Packets = 15
        Acct-Output-Packets = 13

Code:       Accounting-Response
Identifier: 206
Attributes:

Code:       Accounting-Request
Identifier: 206
Attributes:
        Class = "902"
        User-Name = "nabil"
        Acct-Status-Type = Start
        Acct-Session-Id = "16777230"
        Acct-Delay-Time = 0
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        NAS-Port-Type = Async
        NAS-Port = 25
        USR-Modem-Training-Time = 18
        USR-Interface-Index = 1513
        USR-Chassis-Call-Slot = 2
        USR-Chassis-Call-Span = 1
        USR-Chassis-Call-Channel = 1
        USR-Unauthenticated-Time = 5
        Calling-Station-Id = ""
        USR-Modulation-Type = v90Digital
        USR-Simplified-MNP-Levels = ccittV42
        USR-Simplified-V42bis-Usage = ccittV42bis
        USR-Connect-Speed = 46666_BPS
        Framed-Protocol = PPP

** Sending to 208.130.244.232 port 1646 ....
Code:       Accounting-Response
Identifier: 206
Attributes:

Code:       Accounting-Request
Identifier: 207
Attributes:
        Class = "902"
        User-Name = "nabil"
        NAS-IP-Address = 208.130.244.232
        Acct-Status-Type = Stop
        Acct-Session-Id = "16777230"
        Acct-Delay-Time = 0
        . . .
...
. . .
What exactly was it that 3com missed in the RFC?
The part about unique identifiers.  Ie, using the same identifier for
two packets in a row isn't good.  Above, you re-used 206.

In addition to fixing this obviously broken behavior, how about providing
a configurable on the hiperarc to suppress the "acct-delay" so that 
retransmitted packets would be identical (and have the same ID), and thus 
easily filtered out by less sophisticated radius servers?

-- 
Aaron Nabil

-
 To unsubscribe to usr-tc, send an email to "majordomo@xmission.com"
 with "unsubscribe usr-tc" in the body of the message.
 For information on digests or retrieving files and old messages send
 "help" to the same address.  Do not use quotes in your message.