Implementing RADIUS Accounting   8

  RADIUS 2.1 is strictly compliant with RFC 2139. RADIUS accounting logs information about dial-in connections. This information is often used for billing purposes. RADIUS accounting consists of a client/server format. On a UNIX host, transactions are recorded as they occur in a file on the RADIUS accounting server named /usr/adm/radacct/ portmastername/detail .

  This chapter includes the following topics:

•  "How RADIUS Accounting Works" on page 8-1
•  "Getting Started" on page 8-3
•  "Client Configuration" on page 8-4
•  "Accounting Server Configuration" on page 8-4
•  "Accounting Attributes" on page 8-6
•  "Start and Stop Records" on page 8-11

  If you want to use RADIUS accounting, RADIUS 2.1 must be run with ComOS 3.3.1 or later, or with the -o  option.

       How RADIUS Accounting Works

  RADIUS accounting consists of an accounting server and accounting clients (PortMaster products). RADIUS accounting starts automatically when the RADIUS server starts. On a UNIX host, the radiusd  accounting daemon is a child process of the radiusd  authentication daemon.

  The RADIUS accounting server uses the User Datagram Protocol (UDP), and listens for UDP packets at port 1646 by default.

  RADIUS accounting consists of the following steps:

  1. The PortMaster (accounting client) sends an accounting-request  packet containing the record of an event to the accounting server. The record is described by the values of RADIUS attributes included in the packet.

  For example, when a user is authenticated and connected, the Acct-Status-Type attribute has a value indicating that the request marks the beginning of user service. The RADIUS accounting server logs this event as a start accounting record. The records are recorded in a file called /usr/adm/radacct/ portmastername/detail  on the UNIX host.

  Note ¯ RADIUS automatically creates the portmastername directory and the detail  file. If the IP address of a PortMaster client cannot be resolved to a hostname, then the name of the directory is the IP address of the PortMaster rather than its name

  When the user's connection ends, the Acct-Status-Type attribute has a value indicating that the request marks the end of user service. The RADIUS accounting server records this as a stop accounting record. The stop record contains all the information in the start record plus additional information that describes what occurred during that session, such as Acct-Session-Time.

  2. The accounting server sends an accounting-response  packet back to the PortMaster to acknowledge receipt of the request. The server must send back an acknowledgment when it records the request.

  3. If the PortMaster does not receive a response, it continues to send accounting-requests until it receives a response.

  A backoff algorithm is used to determine the delay between accounting-requests if an accounting-response is not received.

  4. The PortMaster records the number of seconds that have passed between the event and the current attempt to send the record; this number is the Acct-Delay-Time  value. As additional time passes before an accounting-response is received, the Acct-Delay-Time is updated.

  Table 8-1 lists RADIUS attributes that a PortMaster might send to a RADIUS accounting server. See RFC 2139 for a complete list of accounting attributes. In addition, the RADIUS accounting server includes a timestamp for each entry. Information on the request-authenticator for the accounting-request packet is included if radiusd  was run with the -o  flag.

  Table 8-1 Common Attributes in detail  File

 

User-Name  NAS-IP-Address  NAS-Port  Service-Type  Framed-Protocol  Framed-IP-Address  Filter-Id  Login-IP-Host  Login-Service  Login-TCP-Port  Framed-IPX-Network  LE-Advice-of-Charge  LE-Terminate-Detail

Called-Station-Id  Calling-Station-Id  Acct-Status-Type  Acct-Delay-Time  Acct-Input-Octets  Acct-Output-Octets  Acct-Session-Id  Acct-Authentic  Acct-Session-Time  Acct-Terminate-Cause  NAS-Port-Type  Connect-Info

       Getting Started

  Select a host to use as the RADIUS accounting server. This host can be either the same host as the RADIUS server used for authentication or a separate host.

  Choose a host with the following characteristics:

•  Secure physical location
•  Root access limited to the security officer or system administrator
•  Limited number of user accounts--preferably none
•  Basic memory
•  Enough disk space to store the RADIUS accounting detail  files

    RADIUS accounting data continues to grow unless you archive this information on a regular schedule--weekly or monthly, for example. For typical installations, allocate 50MB per 1000 users per month. If you archive accounting records on the server, you must allocate more storage than this minimum. Keep in mind that allocating too much space is preferable to allocating too little; your usage can vary.

    For example, if you have 1000 users, one port for every 10 users, an average connection time per user of 1 hour, and all ports in use around the clock, one month of logs would require 50MB of disk space:

    700 bytes/session * 1000 users * 1 port/10 users * 1 session/hour * 24 hours/day * 31 days/month

  The use of a secondary RADIUS accounting server is recommended. The primary accounting server is always used first; if this server is unavailable, the secondary server is used.

  The PortMaster always sends accounting packets to the primary RADIUS accounting server first and retries it once every 45 seconds. If the primary server does not respond within 10 minutes, or if there are more than 50 accounting packets waiting to be sent, the PortMaster sends the accounting packets to the secondary RADIUS accounting server. This behavior is subject to change in future releases of ComOS.

       Client Configuration

  To configure RADIUS accounting information on a PortMaster, see Chapter 3, "Adding a RADIUS Client."

       Accounting Server Configuration

  If you have already installed the RADIUS server (radiusd ) on a host, that server also acts as an accounting server. No further installation is needed.

       Installation

  To install the RADIUS accounting server on a UNIX host, perform the following steps:

  1. Log in to the selected accounting server as root.

  2. Create a radacct directory within the /usr/adm directory and grant full access only to root users:

  mkdir /usr/adm/radacct

  chmod 700 /usr/adm/radacct

  RADIUS accounting automatically creates a subdirectory within the /usr/adm/radacct  directory for each PortMaster serving as a RADIUS accounting client and logs the accounting start and stop records to the detail  file in the directory.

       Configuring Options

  Table 8-2 describes the radiusd  options you can use to modify RADIUS accounting on a UNIX host.

  Table 8-2 radiusd  Accounting Options  

 

Flag	Purpose
-a	Specifies an alternate directory for RADIUS accounting logs. The default directory is /usr/adm/radacct .
-o	Enables the RADIUS server to accept accounting packets from RADIUS clients that do not sign the Request-Authenticator according to RFC 2139. With this option, unsigned accounting records are logged and flagged with Request-Authenticator = None.  Without this option, accounting packets with an unsigned Request-Authenticator (all zeros) are discarded as invalid. Use this option only if you are using RADIUS accounting details from a PortMaster running ComOS 3.3 or earlier.
-p	Overrides the default UDP port used by the RADIUS authentication server and the nondefault port if it is specified in the /etc/services  file. The accounting server uses the next higher port. If you specify radiusd -p  1812, authentication uses port 1812 and accounting uses port 1813. The default UDP ports are 1645 for authentication and 1646 for accounting. You must configure your PortMaster to use the same ports specified with this option.
-v	Displays the RADIUS version number without starting the radiusd  daemon. This flag also applies to the RADIUS authentication server; the RADIUS authentication and accounting servers have the same version number.

       Accounting Attributes

  For RADIUS accounting to function, a series of accounting attributes are defined in the dictionary  file on the RADIUS server and appear in the start and stop accounting records. Use the following descriptions of common accounting attributes to help you interpret start and stop records. Refer to RFC 2139 for information on other accounting attributes.

       Acct-Authentic

  Acct-Authentic records whether the user was authenticated by RADIUS or by the PortMaster user table. Accounting records are not generated for passthrough users, because those users are authenticated by the destination host.

       Acct-Delay-Time

  The PortMaster records the number of seconds that have passed between the event and the current attempt to send the record; this number is the Acct-Delay-Time value.

  You can determine the approximate time of an event by subtracting the Acct-Delay-Time value from the time of the record's arrival on the RADIUS accounting server.

       Acct-Input-Octets and Acct-Output-Octets

  Acct-Input-Octets records the number of bytes received from the user and Acct-Output-Octets records the number sent to the user during a session. These values appear only in stop records.

       Acct-Session-Id

  Acct-Session-Id is a unique number assigned to each start and stop record to make it easy to match the start and stop records in a detail  file, and to eliminate duplicate records.

  The Acct-Session-Id is a string consisting of eight uppercase hexadecimal digits. The first two digits (nn) increment each time the PortMaster is rebooted. The next six digits begin at nn000000 for the first user login after a reboot--and increment up to approximately 16 million logins. This value equals the number of logins made in one year if users log in once a minute to every port of a 30-port PortMaster. The Acct-Session-Id appears inside double quotation marks. This format is subject to change in future releases of ComOS.

       Acct-Session-Time

  Acct-Session-Time records the user's connection time in seconds. This information is included only in stop records.

       Acct-Status-Type

  Acct-Status-Type has two values: Start  and Stop . A start record is created when a user session begins. A stop record is recorded when the session ends.

       Acct-Terminate-Cause

  The values returned by Acct-Terminate-Cause, which are shown in Table 8-3, indicate the cause of a session's termination. This information appears only in stop records. A NAS is a network access server, such as a PortMaster.

  Table 8-3 Session Termination Causes 

 

Termination Cause	Meaning
Admin-Reboot	System administrator is ending service on the NAS--for example, prior to rebooting the NAS.
Admin-Reset	Port was reset by an administrator.
Callback	Callback user was disconnected so port can be used to call the user back.
Host-Request	Session was disconnected or logged out by the Login-IP-Host. This attribute value can indicate normal termination of a login session, or that the remote host has failed or become unreachable.
Idle-Timeout	Idle timer expired for user or port.
Lost-Carrier	Session terminated when the modem dropped the Data Carrier Detect (DCD) signal. This value can indicate any of the following:   · The user or his modem hung up the telephone from their end; no problem exists.   · The line was dropped.   · The modem was unable to recover from severe line noise.   · The local modem dropped DCD for some other reason.
Lost-Service	Service can no longer be provided--for example, the user's connection to a host was interrupted.
NAS-Error	NAS detected some error other than on the port, which required ending the session.
NAS-Reboot	NAS ended the session to perform a nonadministrative reboot--a system crash.
NAS-Request	NAS ended the session for a nonerror reason not otherwise listed here.
Port-Error	NAS had to reset the port. This error commonly occurs when a device attached to the port causes too many interrupts.
Port-Preempted	NAS ended the session in order to allocate the port to a higher priority use.
Port-Suspended	NAS ended the session to suspend a virtual session.
Port-Unneeded	NAS ended the session because resource usage fell below low-water mark--for example, if a bandwidth-on-demand algorithm decided that the port was no longer needed.
Service-Unavailable	NAS was unable to provide the requested service.
Session-Timeout	Session timer expired for the user.
User-Error	Because the NAS received a PPP configuration request or acknowledgment when a session was already established, it terminated the session. This error is caused by a PPP implementation error in the dial-in client.
User-Request	Dial-in PPP client requested that the NAS terminate the connection. This message is expected from a proper PPP client termination.

       Timestamp

  Timestamp records the time of arrival on the RADIUS accounting host measured in seconds since the epoch (00:00 January 1, 1970 GMT). This attribute provides a machine-friendly version of the logging time at the beginning of the accounting record. To find the actual time of the event, subtract Acct-Delay-Time from Timestamp.

       Called-Station-Id and Calling-Station-Id

  Called-Station-Id records the telephone number called by the user. Calling-Station-Id records the number the user is called from. This information is recorded when the NAS-Port-Type is ISDN, ISDN-V120, or ISDN-V110 where supported by the local telephone company. On the PortMaster 3 and the PortMaster 4, this information is available for asynchronous calls as well, where supported by the local telephone company.

       LE-Advice of Charge and LE-Terminate-Detail

  The LE-Advice-of-Charge value is a vendor-specific attribute included in RADIUS accounting stop records generated by ComOS versions 3.8 or later. This string provides any advice-of-charge information passed along by the telephone company on the ISDN D channel.

  The LE-Terminate-Detail value is a vendor-specific attribute included in RADIUS accounting stop records generated by ComOS versions 3.8 or later. This string provides a detailed description of the reason the session terminated.

  The RADIUS 2.1 dictionary file uses the following syntax to define vendor-specific attributes that conform to RFC 2138:

  #

  # Vendor-Specific attributes use the SMI Network Management Private
# Enterprise Code from the "Assigned Numbers" RFC

  #

 

  VENDOR Livingston 307

 

  # Livingston Vendor-Specific Attributes (requires ComOS 3.8 and RADIUS 2.1)

 

  ATTRIBUTE LE-Terminate-Detail 2 string Livingston

  ATTRIBUTE LE-Advice-of-Charge 3 string Livingston

       NAS-Port-Type

  NAS-Port-Type records the type of port used in the connection. The port type can be any of the following: Async, Sync, ISDN, ISDN-V120, or ISDN-V110.

       Request-Authenticator

  The Request-Authenticator attribute appears in an accounting record only when the RADIUS server detects a problem with the accounting request's digital signature. A Request-Authenticator of None  means that the accounting request was not digitally signed and was probably sent by a PortMaster that did not sign the accounting packets because it is running ComOS 3.3 or earlier. In RADIUS for UNIX 2.0 and 2.0.1, if the value for Request-Authenticator is Unverified , the accounting request signature did not match the expected value. Ensure that the shared secret on the PortMaster matches the shared secret in the /etc/raddb/clients  file.

  The RADIUS 2.1 server discards unsigned accounting packets--packets with invalid request authenticator attributes--and logs an error message. The following example shows a message resulting from a request on port 1025 from a PortMaster with an IP address of 192.168.1.1:

  accounting: client 192.168.1.1/1025 sent accounting-request with invalid request authenticator

  You can instruct the server to accept unsigned accounting request packets by running radiusd -o . With this option, invalid--unsigned--accounting records are logged and flagged with Request-Authenticator = None .

       Start and Stop Records

       Example 1

  The following code sample is an example start record in a PortMaster detail  file.

  Tue Jul 30 14:48:18 1996

  Acct-Session-Id = "AC000004"

  User-Name = "jaime"

  NAS-IP-Address = 172.16.64.91

  NAS-Port = 1

  NAS-Port-Type = Async

  Acct-Status-Type = Start

  Acct-Authentic = RADIUS

  Service-Type = Login-User

  Login-Service = Telnet

  Login-IP-Host = 172.16.64.25

  Acct-Delay-Time = 0

  Timestamp = 838763298

  The Acct-Status-Type attribute in the record indicates whether the record was sent when the connection began (Start) or when it ended (Stop). The Acct-Session-Id is listed at the beginning of the record. Note that this value matches the Acct-Session-Id of the stop record on the following page, indicating that these records correspond to the same session.

  User-Name specifies the username, in this case, jaime. NAS-IP-Address specifies the IP address of the PortMaster. NAS-Port-Type specifies that this is an asynchronous connection. Acct-Authentic specifies that jaime is authenticated via RADIUS. Service-Type and Login-Service specify that jaime is a login user using Telnet. Login-IP-Host specifies the host that user jaime logged in to.

  The following code sample is an example stop record that is associated with the start record on the previous page. The Acct-Session-Id of the stop record matches that of the start record on the previous page, indicating that these records correspond to the same session.

  Tue Jul 30 14:48:39 1996

  Acct-Session-Id = "AC000004"

  User-Name = "jaime"

  NAS-IP-Address = 172.16.64.91

  NAS-Port = 1

  NAS-Port-Type = Async

  Acct-Status-Type = Stop

  Acct-Session-Time = 21

  Acct-Authentic = RADIUS

  Acct-Input-Octets = 22

  Acct-Output-Octets = 187

  Acct-Terminate-Cause = Host-Request

  Service-Type = Login-User

  Login-Service = Telnet

  Login-IP-Host = 172.16.64.25

  Acct-Delay-Time = 0

  Timestamp = 838763319

  In the stop accounting record, Acct-Session-Time specifies that jaime's connection lasted 21 seconds. Acct-Input-Octets indicates that 22 bytes of incoming traffic were received; Acct-Output-Octets indicates that 187 bytes of outgoing traffic were sent.

  The Acct-Terminate-Cause indicates that a Host-Request terminated the session, meaning that jaime logged off the host or that the host logged him off. The Acct-Delay-Time is 0 seconds, indicating that the RADIUS accounting server received the accounting-request on the first try.

  Note ¯ For more information on accounting attributes, see "Accounting Attributes" on page 8-6.

       Example 2

  The following is an example of a start record in a PortMaster detail  file. The start record is for an ISDN PPP connection.

  Tue Jul 8 08:44:17 1997

  Acct-Session-Id = "1A00014E"

  User-Name = "consolata"

  NAS-IP-Address = 192.168.32.1

  NAS-Port = 0

  NAS-Port-Type = Async

  Acct-Status-Type = Start

  Acct-Authentic = RADIUS

  Connect-Info = "33600 LAPM/V42BIS"

  Called-Station-Id = "5557026"

  Calling-Station-Id = "5105550285"

  Service-Type = Framed-User

  Framed-Protocol = PPP

  Framed-IP-Address = 192.168.32.35

  Acct-Delay-Time = 0

  Timestamp = 868376657

  The NAS-Port-Type specifies that the user consolata has an asynchronous connection. Called-Station-Id and Calling-Station-Id specify the destination and source of the call. Service-Type and Framed-Protocol indicate that user consolata is a framed user establishing the connection via PPP.

  The example on the following page is the stop record associated with the start record on this page. The stop record indicates that the login time for user consolata was 67 seconds. The Acct-Input-Octets and Acct-Output-Octets indicate that the incoming traffic for this session was 5877 bytes, and outgoing traffic was 2418 bytes.

  Tue Jul 8 08:45:24 1997

  Acct-Session-Id = "1A00014E"

  User-Name = "consolata"

  NAS-IP-Address = 192.168.32.7

  NAS-Port = 0

  NAS-Port-Type = Async

  Acct-Status-Type = Stop

  Acct-Session-Time = 67

  Acct-Authentic = RADIUS

  Connect-Info = "33600 LAPM/V42BIS"

  Acct-Input-Octets = 5877

  Acct-Output-Octets = 2418

  Called-Station-Id = "5557026"

  Calling-Station-Id = "5105550285"

  Acct-Terminate-Cause = User-Request

  Service-Type = Framed-User

  Framed-Protocol = PPP

  Framed-IP-Address = 192.168.32.35

  Acct-Delay-Time = 0

  Timestamp = 868376724

  Note ¯ Examples of Perl scripts to process the RADIUS accounting logs are available at the Lucent InterNetworking Systems FTP site at ftp://ftp.livingston.com/pub/le/radius/ .