Log out client when no accounting updates received
jmeiring at amobia.com
Wed Sep 30 09:31:53 UTC 2009
> I think it could be an option.. even a compile-time option + runtime
> configuration for number of missed acct'ing responses. But, it's not a
> feature I would imagine many would use.
Whether people would use it or not, is probably a case of people don't know
that they need it.
Hope the following makes sense.....
I process about 2 million radius accounting records per month (probably very
few in some people's book).
I discovered (by accident) that accounting data sometimes got lost, I would
never have known about it, had I not stumbled on a "weird" session.
Let me explain how this can go wrong.
You have a NAS (chillispot) natted behind an ADSL line. It handles few
users with long sessions.
A Linux device (probably every ADSL router out there) is handling the DSL
line. In the Linux conntrack table, the authentication and accounting
become tracked (and masqueraded/source natted).
Now the authentication conntrack times out, but the accounting conntrack
session stays, (few authentications, but frequent accounting updates).
Now the ADSL connection is dropped and re-established with a new IP.
Because the accounting conntrack still exists, the accounting packets are
source natted behind the old IP, and therefore gets lost. The
authentication is behind the new IP, and works. Now everyone on this
hotspot gets free bandwidth.
I realise there are other ways to fix the spesific issue above (manipulting
the conntrack table in ip-up/ip-down) but as Wickert mentioned, lots of
people have seperate authentication and accounting systems. The one system
does not neccesarily know the other is down, and now people can use
resources without being billed for them.
It would be interesting for everyone on the list that may have hotspots
behind dymanic IP connections, to see how many successfull authentications
they have without any accounting data.
The problem could be solved from the radius side (using COA), but only if
the Radius server can contact the NAS - which it can't if the NAS is behind
a NATTED connection.
If the Radius server received no Radius Accounting, it has no opportunity to
stop (COA) the client.
Hope this makes sense.
If you think it is worth implementing, I can offer to help wherever I can.
My c skills is limited to "copy and paste" programming, but I am willing to
Tel: (0861) AMOBIA / (0861) 266242
Fax: (0861) AMOFAX / (0861) 266329
More information about the Chilli