RADIUS accounting logs information about dial-in connections. This information is often used for billing purposes. RADIUS accounting consists of a client/server format; as transactions occur, they are recorded in a file named /usr/adm/radacct/portmastername/detail on the RADIUS accounting server.
RADIUS accounting consists of an accounting server and accounting clients (PortMasters). The radiusd daemon for accounting is a child process of the radiusd authentication daemon; it starts automatically when radiusd is executed.
The RADIUS accounting server uses the UDP protocol, and listens for UDP packets at port 1646.
RADIUS accounting consists of the following steps:
A backoff algorithm is used to determine the delay between accounting-requests if an accounting-response is not received.
The Start record typically contains the Session-Id, the User-Name, Service-Type, Login-Service, Login-IP-Host, Acct-Delay-Time, and other relevant information from a user's entry in the users file.
Note - When the user is disconnected, a Stop record is generated. This record contains the same information as the Start record, however, it also includes Acct-Session-Time, which records the time (in seconds) of a user's session.
Select a UNIX host to use as the RADIUS accounting server. This host may be the same host as the RADIUS server used for authentication or a separate host.
Choose a host with the following characteristics:
For typical installations, allocate 50 MB per 1000 users if the logs are rotated monthly. Keep in mind that it is much better to allocate too much space than too little; your usage may vary.
For example, if you have 1000 users, one port for every 10 users, an average connect time (per user) of one hour, and all ports are in use around the clock, one month of logs would require 50 MB of disk space:
700 bytes/session * 1000 users * 1 port/10 users * 1 session/hour * 24 hours/day * 30 days/month
Livingston recommends the use of a secondary RADIUS accounting server. The primary accounting server is always used first; if this server is unavailable, the secondary server is used.
To configure RADIUS accounting information on a PortMaster, see "RADIUS Client Configuration."
To install the RADIUS accounting server, log into the selected accounting server as root. Create a radacct directory within the /usr/adm directory.
mkdir /usr/adm/radacct chmod 700 /usr/adm/radacct
RADIUS accounting automatically creates subdirectories within the /usr/adm/radacct directory for each PortMaster serving as a RADIUS accounting client and logs the accounting start and stop records to the detail file in the directory.
The flags associated with the parent radiusd are described in "RADIUS Server Configuration."
The radiusd accounting daemon may also be used with these flags:
In order for RADIUS accounting to function, a series of accounting attributes (listed below) are defined in the /etc/raddb/dictionary file on the RADIUS server.
Acct-Status-Type has two values: Start and Stop. A Start record is created when a user session begins. A Stop record is recorded when the session ends.
The PortMaster records the number of seconds that have passed between the event and the current attempt to send the record; this number is the Acct-Delay-Time value.
The approximate time of an event can be determined by subtracting the Acct-Delay-Time from the time of the record's arrival on the RADIUS accounting server.
Acct-Session-Id is a unique number assigned to each Start and Stop record to make it easy to match the Start and Stop records in a detail file, and to eliminate duplicate records.
The Acct-Session-Id is a string consisting of 8 uppercase hexadecimal digits. The first two digits increment each time the PortMaster is rebooted. The next 6 digits begin at 0 (for the first user login after a reboot) and increment up to approximately 16 million logins. This is equal to one user logging into each port of a 30-port unit every minute for an entire year.
Acct-Authentic records whether the user was authenticated via RADIUS or by the PortMaster User Table. Accounting records are not generated for passthrough users, as those users are authenticated by the destination host.
The Acct-Session-Time records the user's connection time in seconds. This information is only included in Stop records.
NAS-Port-Type records the type of port used in the connection. The port type may be any of the following: Async, Sync, ISDN, ISDN-V120, or ISDN-V110.
Records the number of bytes received (Acct-Input-Octets) and sent (Acct-Output-Octets) during a session. These values only appear in Stop records.
Called-Station-Id and Calling-Station-Id record the called and calling numbers. This information is recorded when the NAS-Port-Type is ISDN, ISDN-V120, or ISDN-V110 where supported by the local Telco.
Timestamp records the time of arrival on the RADIUS Accounting host measured in seconds since the epoch (00:00 January 1, 1970).
This attribute provides a machine-friendly version of the logging time at the beginning of the accounting record. To find the actual time of the event, subtract Acct-Delay-Time from Timestamp.
The Request-Authenticator attribute only appears in an accounting record when the RADIUS 2.0 server notices a problem with the accounting request's digital signature.
A Request-Authenticator of None means that the accounting request was not digitally signed, and was probably sent by a PortMaster running a version of ComOS that did not sign accounting packets. If the Request-Authenticator value is Unverified, the accounting request signature did not match the expected value. Ensure that the shared secret on the PortMaster matches the shared secret in the /etc/raddb/clients file.
The Acct-Terminate-Cause, shown below, indicates the cause of a session's termination. This information only appears in Stop records.
The following example displays two accounting records in a PortMaster's detail file.
Tue Jul 30 14:48:18 1996 Acct-Session-Id = "35000004" User-Name = "bob" NAS-IP-Address = 172.16.64.91 NAS-Port = 1 NAS-Port-Type = Async Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Login-User Login-Service = Telnet Login-IP-Host = 172.16.64.25 Acct-Delay-Time = 0 Timestamp = 838763298 Tue Jul 30 14:48:39 1996 Acct-Session-Id = "35000004" User-Name = "bob" NAS-IP-Address = 172.16.64.91 NAS-Port = 1 NAS-Port-Type = Async Acct-Status-Type = Stop Acct-Session-Time = 21 Acct-Authentic = RADIUS Acct-Input-Octets = 22 Acct-Output-Octets = 187 Acct-Terminate-Cause = Host-Request Service-Type = Login-User Login-Service = Telnet Login-IP-Host = 172.16.64.25 Acct-Delay-Time = 0 Timestamp = 838763319
The Acct-Status-Type attribute in the record indicates whether the record was sent when the connection began (Start) or when it ended (Stop). In the Start record above, the Acct-Session-Id is listed at the beginning of the record. Note that this value matches the Acct-Session-Id of the Stop record, indicating that these records correspond to the same session.
User-Name specifies the username, in this case, bob. NAS-IP-Address specifies the IP address of the PortMaster. NAS-Port-Type specifies that this is an asynchronous connection. Acct-Authentic specifies that bob is authenticated via RADIUS.
Service-Type and Login-Service specify that bob is a login user using Telnet. Login-IP-Host specifies the host that user bob logged into.
In the Stop accounting record, Acct-Session-Time specifies that bob's connection lasted 21 seconds. Acct-Input-Octets indicates that 22 bytes of incoming traffic was received; Acct-Output-Octets indicates that 187 bytes of outgoing traffic was sent.
The Acct-Terminate-Cause indicates that a Host-Request terminated the session, meaning that bob logged out of the host or that the host logged him out.
The Acct-Delay-Time is 0 seconds, indicating that the RADIUS accounting server received the accounting-request on the first try.
For more information on accounting attributes, see "Accounting Attributes" and the Check and Reply Item Table.
The following example displays Start and Stop accounting records for an ISDN PPP connection.
Wed May 8 10:51:12 1996 Acct-Session-Id = "2400020E" User-Name = "Pbob" NAS-IP-Address = 172.16.1.21 NAS-Port = 12 NAS-Port-Type = ISDN Acct-Status-Type = Start Acct-Authentic = RADIUS Called-Station-Id = "5551111" Calling-Station-Id = "5105552222" Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 172.16.93.1 Acct-Delay-Time = 0 Timestamp = 838763356 Wed May 8 12:50:49 1996 Acct-Session-Id = "2400020E" User-Name = "Pbob" NAS-IP-Address = 172.16.1.21 NAS-Port = 12 NAS-Port-Type = ISDN Acct-Status-Type = Stop Acct-Session-Time = 7177 Acct-Authentic = RADIUS Acct-Input-Octets = 14994 Acct-Output-Octets = 90862 Called-Station-Id = "5551111" Calling-Station-Id = "5105552222" Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 172.16.93.1 Acct-Delay-Time = 0 Timestamp = 838763378
In the Start record of the example above, the NAS-Port-Type specifies that the user Pbob is using ISDN for his connection. Called-Station-Id and Calling-Station-Id specify the source and destination of the ISDN call. Service-Type and Framed-Protocol indicate that user Pbob is a framed user using PPP to establish the connection.
The Stop record in this example indicates that the login time for user bob was 7177 seconds or 1 hour, 59 minutes, and 37 seconds. The Acct-Input-Octets and Acct-Output-Octets indicate that the incoming traffic for this session was 14994 bytes, and outgoing traffic was 90862 bytes.
Note - Examples of PERL scripts to process the RADIUS accounting logs are available at Livingston's FTP site at ftp://ftp.livingston.com/pub/le/radius/.
/ Prev / Next / TOC / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /